Merge "Grant vold, installd, zygote and apps access to /mnt/pass_through"
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 0159a0c..149c6ee 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -61,6 +61,7 @@
light_service
linker_prop
linkerconfig_file
+ mnt_pass_through_file
mock_ota_prop
module_sdkextensions_prop
ota_metadata_file
diff --git a/private/file_contexts b/private/file_contexts
index 77a6941..be1453a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -701,6 +701,7 @@
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/pass_through(/.*)? u:object_r:mnt_pass_through_file:s0
/mnt/sdcard u:object_r:mnt_sdcard_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
diff --git a/private/priv_app.te b/private/priv_app.te
index 74930ee..643c06f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -60,6 +60,9 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
+# Access to /mnt/pass_through.
+allow priv_app mnt_pass_through_file:dir r_dir_perms;
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 682f609..3963459 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -129,6 +129,10 @@
allow zygote mnt_user_file:dir { create_dir_perms mounton };
allow zygote mnt_user_file:lnk_file create_file_perms;
allow zygote mnt_user_file:file create_file_perms;
+
+# Allow mounting user-specific storage source if started before vold.
+allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
+
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
diff --git a/public/file.te b/public/file.te
index 408d515..b2909ff 100644
--- a/public/file.te
+++ b/public/file.te
@@ -315,6 +315,7 @@
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
+type mnt_pass_through_file, file_type;
type mnt_expand_file, file_type;
type mnt_sdcard_file, file_type;
type storage_file, file_type;
diff --git a/public/installd.te b/public/installd.te
index 10277d2..a6307ef 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -57,6 +57,9 @@
# optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
diff --git a/public/vold.te b/public/vold.te
index c1509f1..0ffa119 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -109,6 +109,10 @@
allow vold mnt_user_file:lnk_file create_file_perms;
allow vold mnt_user_file:file create_file_perms;
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };