From a67b40bc2a8d94413aa6d726bdde23563f7344d0 Mon Sep 17 00:00:00 2001
From: Zim <zezeozue@google.com>
Date: Fri, 31 Jan 2020 16:26:13 +0000
Subject: [PATCH] Harden /mnt/pass_through paths

Only the FUSE daemon (with media_rw gid) needs access to paths on
/mnt/pass_through. And even then, it only needs execute access on the
dirs, since there will always be a bind mount either from sdcardfs or
the lower filesystem on it and that bind mount correctly handles ACLs
for the FUSE daemon.

Test: manual
Bug: 135341433
Change-Id: I999451e095da355e6247e9e18fb6fe1ab8fc45d6
---
 rootdir/init.rc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 5f4b8c3ab..50b4a4c75 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -174,10 +174,10 @@ on init
 
     # Prepare directories for pass through processes
     mkdir /mnt/pass_through 0700 root root
-    mkdir /mnt/pass_through/0 0755 root root
-    mkdir /mnt/pass_through/0/self 0755 root root
-    mkdir /mnt/pass_through/0/emulated 0755 root root
-    mkdir /mnt/pass_through/0/emulated/0 0755 root root
+    mkdir /mnt/pass_through/0 0710 root media_rw
+    mkdir /mnt/pass_through/0/self 0710 root media_rw
+    mkdir /mnt/pass_through/0/emulated 0710 root media_rw
+    mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw
 
     mkdir /mnt/expand 0771 system system
     mkdir /mnt/appfuse 0711 root root