Let Zygote unmount inherited storage devices.

For example, when launching into an isolated process, we need to drop all mounts inherited from the root namespace. avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=1 Bug: 22192518 Change-Id: Iafbea2c365c1080bdf20d7fa066c304901e582ba
author: Jeff Sharkey <jsharkey@android.com> 2015-06-30 15:56:46 -0700
committer: The Android Automerger <android-build@google.com> 2015-06-30 19:39:55 -0700
commit: 630f80aef911f5332918a119d8aef7d7c5dbf076 (patch)
tree: 541341f22b8671a1767d03e7f1c6a91a68681da2
parent: cb79c9a863e1a9221f16ae0f8478c418f00875a7 (diff)
download: sepolicy-630f80aef911f5332918a119d8aef7d7c5dbf076.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/zygote.te b/zygote.te
index 598589e..7029344 100644
--- a/zygote.te
+++ b/zygote.te
@@ -54,6 +54,7 @@ allow zygote sdcard_type:dir { write search setattr create add_name mounton }; #
 dontaudit zygote self:capability fsetid; # TODO: deprecated in M
 allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M
 allow zygote tmpfs:filesystem { mount unmount };
+allow zygote fuse:filesystem { unmount };
 allow zygote labeledfs:filesystem remount; # TODO: deprecated in M
 
 # Allowed to create user-specific storage source if started before vold
author	Jeff Sharkey <jsharkey@android.com>	2015-06-30 15:56:46 -0700
committer	The Android Automerger <android-build@google.com>	2015-06-30 19:39:55 -0700
commit	630f80aef911f5332918a119d8aef7d7c5dbf076 (patch)
tree	541341f22b8671a1767d03e7f1c6a91a68681da2
parent	cb79c9a863e1a9221f16ae0f8478c418f00875a7 (diff)
download	sepolicy-630f80aef911f5332918a119d8aef7d7c5dbf076.tar.gz