Grant vold, installd, zygote and apps access to /mnt/pass_through
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
access to the lower filesystem (or sdcardfs).
At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.
The following components need varying sepolicy privileges:
Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink
zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold
installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through
priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through
Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index e3eda7e..6ccc473 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -49,6 +49,7 @@
mirror_data_file
linker_prop
linkerconfig_file
+ mnt_pass_through_file
mock_ota_prop
module_sdkextensions_prop
ota_metadata_file
diff --git a/private/file_contexts b/private/file_contexts
index 2ab86fd..aa4ec5e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -690,6 +690,7 @@
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/pass_through(/.*)? u:object_r:mnt_pass_through_file:s0
/mnt/sdcard u:object_r:mnt_sdcard_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
diff --git a/private/priv_app.te b/private/priv_app.te
index f68586a..3cd1a70 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -76,6 +76,9 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
+# Access to /mnt/pass_through.
+allow priv_app mnt_pass_through_file:dir r_dir_perms;
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index e6c1db9..0b55958 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -119,6 +119,10 @@
allow zygote mnt_user_file:dir { create_dir_perms mounton };
allow zygote mnt_user_file:lnk_file create_file_perms;
allow zygote mnt_user_file:file create_file_perms;
+
+# Allow mounting user-specific storage source if started before vold.
+allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
+
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
diff --git a/public/file.te b/public/file.te
index 9573ad0..2f9332f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -314,6 +314,7 @@
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
+type mnt_pass_through_file, file_type;
type mnt_expand_file, file_type;
type mnt_sdcard_file, file_type;
type storage_file, file_type;
diff --git a/public/installd.te b/public/installd.te
index 10277d2..a6307ef 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -57,6 +57,9 @@
# optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
diff --git a/public/vold.te b/public/vold.te
index 9f4489d..244d192 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -103,6 +103,10 @@
allow vold mnt_user_file:lnk_file create_file_perms;
allow vold mnt_user_file:file create_file_perms;
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
