Deprecate /mnt/sdcard -> /storage/self/primary symlink.
"This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on."
https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/
Apps targeting R+ must NOT use that symlink.
For older apps we allow core init.rc to create
/mnt/sdcard -> /storage/self/primary symlink.
Bug: 129497117
Test: boot device, /mnt/sdcard still around.
Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index fcdd653..8c91561 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -343,3 +343,11 @@
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
+
+# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
+# must not use it.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} mnt_sdcard_file:lnk_file *;
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index a102ab0..e34cdb8 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1617,7 +1617,9 @@
(typeattributeset thermalserviced_28_0 (thermalserviced))
(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
(typeattributeset timezone_service_28_0 (timezone_service))
-(typeattributeset tmpfs_28_0 (tmpfs))
+(typeattributeset tmpfs_28_0
+ ( mnt_sdcard_file
+ tmpfs))
(typeattributeset tombstoned_28_0 (tombstoned))
(typeattributeset tombstone_data_file_28_0 (tombstone_data_file))
(typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket))
diff --git a/private/file_contexts b/private/file_contexts
index 7cbb623..9785ffb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -637,6 +637,7 @@
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/sdcard u:object_r:mnt_sdcard_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 5bad58f..45aeddc 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -60,3 +60,6 @@
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_25 ashmem_device:chr_file open;
+
+# Read /mnt/sdcard symlink.
+allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index eaa1791..03b3013 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -45,3 +45,6 @@
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_27 ashmem_device:chr_file open;
+
+# Read /mnt/sdcard symlink.
+allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 7d48fb4..c8953de 100644
--- a/public/file.te
+++ b/public/file.te
@@ -291,6 +291,7 @@
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
type mnt_expand_file, file_type;
+type mnt_sdcard_file, file_type;
type storage_file, file_type;
# Label for storage dirs which are just mount stubs
diff --git a/public/init.te b/public/init.te
index 06af302..bde7ac6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -46,6 +46,9 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+# Create /mnt/sdcard -> /storage/self/primary symlink.
+allow init mnt_sdcard_file:lnk_file create;
+
# setrlimit
allow init self:global_capability_class_set sys_resource;