Harden /mnt/pass_through paths Only the FUSE daemon (with media_rw gid) needs access to paths on /mnt/pass_through. And even then, it only needs execute access on the dirs, since there will always be a bind mount either from sdcardfs or the lower filesystem on it and that bind mount correctly handles ACLs for the FUSE daemon. Test: manual Bug: 135341433 Change-Id: I999451e095da355e6247e9e18fb6fe1ab8fc45d6

commit: 2ef2606f5630df1ace06232ad57518fbdffee665 [log] [tgz]
author: Zim <zezeozue@google.com> Fri Jan 31 16:26:13 2020 +0000
committer: Zim <zezeozue@google.com> Fri Jan 31 16:26:13 2020 +0000
tree: a56dd484a2c5b3dfd385667355d2f84b8da4c942
parent: d345b883bcf4dd2e675b0c7e8227e6514c25f481 [diff]
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 5f4b8c3..50b4a4c 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -174,10 +174,10 @@
 
     # Prepare directories for pass through processes
     mkdir /mnt/pass_through 0700 root root
-    mkdir /mnt/pass_through/0 0755 root root
-    mkdir /mnt/pass_through/0/self 0755 root root
-    mkdir /mnt/pass_through/0/emulated 0755 root root
-    mkdir /mnt/pass_through/0/emulated/0 0755 root root
+    mkdir /mnt/pass_through/0 0710 root media_rw
+    mkdir /mnt/pass_through/0/self 0710 root media_rw
+    mkdir /mnt/pass_through/0/emulated 0710 root media_rw
+    mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw
 
     mkdir /mnt/expand 0771 system system
     mkdir /mnt/appfuse 0711 root root
commit	2ef2606f5630df1ace06232ad57518fbdffee665	[log] [tgz]
author	Zim <zezeozue@google.com>	Fri Jan 31 16:26:13 2020 +0000
committer	Zim <zezeozue@google.com>	Fri Jan 31 16:26:13 2020 +0000
tree	a56dd484a2c5b3dfd385667355d2f84b8da4c942
parent	d345b883bcf4dd2e675b0c7e8227e6514c25f481 [diff]