Grant vold, installd, zygote and apps access to /mnt/pass_through

/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
 access to the lower filesystem (or sdcardfs).

At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory  with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.

The following components need varying sepolicy privileges:

Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink

zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold

installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through

priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through

Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index e3eda7e..6ccc473 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -49,6 +49,7 @@
     mirror_data_file
     linker_prop
     linkerconfig_file
+    mnt_pass_through_file
     mock_ota_prop
     module_sdkextensions_prop
     ota_metadata_file
diff --git a/private/file_contexts b/private/file_contexts
index 2ab86fd..aa4ec5e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -690,6 +690,7 @@
 # external storage
 /mnt/media_rw(/.*)?         u:object_r:mnt_media_rw_file:s0
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
+/mnt/pass_through(/.*)?     u:object_r:mnt_pass_through_file:s0
 /mnt/sdcard                 u:object_r:mnt_sdcard_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
diff --git a/private/priv_app.te b/private/priv_app.te
index f68586a..3cd1a70 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -76,6 +76,9 @@
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;
 
+# Access to /mnt/pass_through.
+allow priv_app mnt_pass_through_file:dir r_dir_perms;
+
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index e6c1db9..0b55958 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -119,6 +119,10 @@
 allow zygote mnt_user_file:dir { create_dir_perms mounton };
 allow zygote mnt_user_file:lnk_file create_file_perms;
 allow zygote mnt_user_file:file create_file_perms;
+
+# Allow mounting user-specific storage source if started before vold.
+allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
+
 # Allowed to mount user-specific storage into place
 allow zygote storage_file:dir { search mounton };
 
diff --git a/public/file.te b/public/file.te
index 9573ad0..2f9332f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -314,6 +314,7 @@
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
 type mnt_user_file, file_type;
+type mnt_pass_through_file, file_type;
 type mnt_expand_file, file_type;
 type mnt_sdcard_file, file_type;
 type storage_file, file_type;
diff --git a/public/installd.te b/public/installd.te
index 10277d2..a6307ef 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -57,6 +57,9 @@
 # optimizing application code.
 allow installd system_data_file:lnk_file { create getattr read setattr unlink };
 
+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
 allow installd media_rw_data_file:file { getattr unlink };
diff --git a/public/vold.te b/public/vold.te
index 9f4489d..244d192 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -103,6 +103,10 @@
 allow vold mnt_user_file:lnk_file create_file_perms;
 allow vold mnt_user_file:file create_file_perms;
 
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
 # Allow to create and mount expanded storage
 allow vold mnt_expand_file:dir { create_dir_perms mounton };
 allow vold apk_data_file:dir { create getattr setattr };