microdroid: apk is mounted via apkdmverity In microdroid, APK and its idsig is used to dm-verity mount before zipfuse mounts it into a filesystem. Bug: 190343842 Test: MicrodroidHostTestCases Change-Id: Icd48fb823eabc087c0266e46f9b3d302e90fd208

commit: d4a7a7a04307536b7751e455e04621ce65879636 [log] [tgz]
author: Jooyung Han <jooyung@google.com> Thu Jun 17 13:05:36 2021 +0900
committer: Jooyung Han <jooyung@google.com> Thu Jun 17 14:29:29 2021 +0900
tree: 19de2a41ca9f30a7a0fde04052047d6f8c8d9cf6
parent: df045e4c9b9ad011d330dc15193556b2e13b34fb [diff] [blame]
diff --git a/microdroid/sepolicy/system/private/domain.te b/microdroid/sepolicy/system/private/domain.te
index c451fcf..4a59f73 100644
--- a/microdroid/sepolicy/system/private/domain.te
+++ b/microdroid/sepolicy/system/private/domain.te

@@ -501,7 +501,8 @@
 
 # Only init and otapreopt_chroot should be mounting filesystems on locations
 # labeled system or vendor (/product and /vendor respectively).
-neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+# In microdroid, zipfuse is allowed mounton /mnt/apk.
+neverallow { domain -init -otapreopt_chroot -zipfuse } { system_file_type vendor_file_type }:dir_file_class_set mounton;
 
 # Only allow init and vendor_init to read/write mm_events properties
 # NOTE: dumpstate is allowed to read any system property
commit	d4a7a7a04307536b7751e455e04621ce65879636	[log] [tgz]
author	Jooyung Han <jooyung@google.com>	Thu Jun 17 13:05:36 2021 +0900
committer	Jooyung Han <jooyung@google.com>	Thu Jun 17 14:29:29 2021 +0900
tree	19de2a41ca9f30a7a0fde04052047d6f8c8d9cf6
parent	df045e4c9b9ad011d330dc15193556b2e13b34fb [diff] [blame]