Allow execution of code in extra APKs Protected by the multi-tenant flag. This is to allow platform-owned VMs to be able to incorporate code from multiple sources. Bug: 302677468 Test: atest MicrodroidTests Change-Id: Iba7cafc0c4b5f15a08c91dd7083b10ec2bb5230f

commit: 92789f1ee9fbaecc7e133fdd7f6eb63b0da223e3 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Fri Sep 29 14:55:42 2023 +0100
committer: Alan Stokes <alanstokes@google.com> Fri Sep 29 15:44:49 2023 +0100
tree: 6b440aea93fa0c577149a1431b2a566c83ab2207
parent: 27f3ef09fa1b952a9056f3ec6a8b9dc0d95328e1 [diff]
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index a496d53..dd0ddbb 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs

@@ -729,9 +729,11 @@
         let mount_dir = format!("/mnt/extra-apk/{i}");
         create_dir(Path::new(&mount_dir)).context("Failed to create mount dir for extra apks")?;
 
-        // don't wait, just detach
+        let mount_for_exec =
+            if cfg!(multi_tenant) { MountForExec::Allowed } else { MountForExec::Disallowed };
+        // These run asynchronously in parallel - we wait later for them to complete.
         zipfuse.mount(
-            MountForExec::Disallowed,
+            mount_for_exec,
             "fscontext=u:object_r:zipfusefs:s0,context=u:object_r:extra_apk_file:s0",
             Path::new(&format!("/dev/block/mapper/extra-apk-{i}")),
             Path::new(&mount_dir),
commit	92789f1ee9fbaecc7e133fdd7f6eb63b0da223e3	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Fri Sep 29 14:55:42 2023 +0100
committer	Alan Stokes <alanstokes@google.com>	Fri Sep 29 15:44:49 2023 +0100
tree	6b440aea93fa0c577149a1431b2a566c83ab2207
parent	27f3ef09fa1b952a9056f3ec6a8b9dc0d95328e1 [diff]