Merge "Grant vold, installd, zygote and apps access to /mnt/pass_through"

2020-01-28 22:26:58 +00:00 · 2020-01-28 22:26:58 +00:00 · 5119becf5d
commit 5119becf5d
parent b3ed1d4245 fcf599c89c
7 changed files with 17 additions and 0 deletions
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -61,6 +61,7 @@
    light_service
    linker_prop
    linkerconfig_file
+    mnt_pass_through_file
    mock_ota_prop
    module_sdkextensions_prop
    ota_metadata_file
--- a/private/file_contexts
+++ b/private/file_contexts
@ -701,6 +701,7 @@
 # external storage
 /mnt/media_rw(/.*)?         u:object_r:mnt_media_rw_file:s0
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
+/mnt/pass_through(/.*)?     u:object_r:mnt_pass_through_file:s0
 /mnt/sdcard                 u:object_r:mnt_sdcard_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -60,6 +60,9 @@ allow priv_app cache_file:lnk_file r_file_perms;
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;

+# Access to /mnt/pass_through.
+allow priv_app mnt_pass_through_file:dir r_dir_perms;
+
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
--- a/private/zygote.te
+++ b/private/zygote.te
@ -129,6 +129,10 @@ allow zygote sdcardfs:filesystem { unmount };
 allow zygote mnt_user_file:dir { create_dir_perms mounton };
 allow zygote mnt_user_file:lnk_file create_file_perms;
 allow zygote mnt_user_file:file create_file_perms;
+
+# Allow mounting user-specific storage source if started before vold.
+allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
+
 # Allowed to mount user-specific storage into place
 allow zygote storage_file:dir { search mounton };

--- a/public/file.te
+++ b/public/file.te
@ -315,6 +315,7 @@ type incremental_root_file, file_type, data_file_type, core_data_file_type;
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
 type mnt_user_file, file_type;
+type mnt_pass_through_file, file_type;
 type mnt_expand_file, file_type;
 type mnt_sdcard_file, file_type;
 type storage_file, file_type;
--- a/public/installd.te
+++ b/public/installd.te
@ -57,6 +57,9 @@ allow installd system_data_file:dir create_dir_perms;
 # optimizing application code.
 allow installd system_data_file:lnk_file { create getattr read setattr unlink };

+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
 allow installd media_rw_data_file:file { getattr unlink };
--- a/public/vold.te
+++ b/public/vold.te
@ -109,6 +109,10 @@ allow vold mnt_user_file:dir { create_dir_perms mounton };
 allow vold mnt_user_file:lnk_file create_file_perms;
 allow vold mnt_user_file:file create_file_perms;

+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
 # Allow to create and mount expanded storage
 allow vold mnt_expand_file:dir { create_dir_perms mounton };
 allow vold apk_data_file:dir { create getattr setattr };