1# Compartmentalized domain specifically for mounting fuseblk filesystems. 2# We need this to not grant fuseblkd_untrusted sys_admin permissions. 3type fuseblkd_exec, system_file_type, exec_type, file_type; 4type fuseblkd, domain; 5 6typeattribute fuseblkd coredomain; 7 8# Required for mount and unmounting. We can't minimize this permission, 9# even though we only allow mount/unmount. 10allow fuseblkd self:global_capability_class_set sys_admin; 11 12# Permissions for the fuseblk filesystem. 13allow fuseblkd fuse_device:chr_file rw_file_perms; 14allow fuseblkd fuseblk:filesystem { mount unmount }; 15allow fuseblkd fuseblkd_untrusted:fd use; 16 17# Look through block devices to find the correct one. 18allow fuseblkd block_device:dir search; 19 20# Permissions to mount on the media_rw directory for USB drives. 21allow fuseblkd mnt_media_rw_file:dir search; 22allow fuseblkd mnt_media_rw_stub_file:dir mounton; 23 24### 25### neverallow rules 26### 27 28# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary. 29neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition; 30neverallow * fuseblkd:process dyntransition; 31neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint; 32