Allow dexopt_chroot_setup to bind-mount dirs for incremental apps. Bug: 311377497 Test: adb shell pm art pr-dexopt-job --test Change-Id: I8da90876191eadfea77d34c7441d0e4bdb377d31

commit: 0a49ac3dbd1687b772428fd539a14a5994a32cc9 [log] [tgz]
author: Jiakai Zhang <jiakaiz@google.com> Mon Jun 03 20:12:40 2024 +0100
committer: Jiakai Zhang <jiakaiz@google.com> Mon Jun 03 20:43:25 2024 +0100
tree: 40ec16e74fde8c5e9ef99aa6cbf3bcc2b1e95f5f
parent: 2f4324ac5d0c2ab21876d9f4aacea87be7d0f56d [diff]
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index 5dd0e5d..ede53d4 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te

@@ -43,6 +43,7 @@
 # Allow mounting file systems, to create a chroot environment.
 allow dexopt_chroot_setup {
   apex_mnt_dir
+  apk_data_file
   binderfs
   cgroup
   cgroup_v2
@@ -119,6 +120,9 @@
 # Allow running snapshotctl through init, to map and unmap block devices.
 set_prop(dexopt_chroot_setup, snapshotctl_prop)
 
+# Allow accessing /data/app/..., to bind-mount dirs for incremental apps.
+allow dexopt_chroot_setup apk_data_file:dir { getattr search };
+
 # Neverallow rules.
 
 # Never allow running other binaries without a domain transition.
commit	0a49ac3dbd1687b772428fd539a14a5994a32cc9	[log] [tgz]
author	Jiakai Zhang <jiakaiz@google.com>	Mon Jun 03 20:12:40 2024 +0100
committer	Jiakai Zhang <jiakaiz@google.com>	Mon Jun 03 20:43:25 2024 +0100
tree	40ec16e74fde8c5e9ef99aa6cbf3bcc2b1e95f5f
parent	2f4324ac5d0c2ab21876d9f4aacea87be7d0f56d [diff]