Allow dexopt_chroot_setup to mount/unmount debugfs.
Some old devices use debugfs for /sys/kernel/debug.
Bug: 311377497
Change-Id: Ib9958b5cfdd85c37acd27ff6e637efdbd2a068e3
Test: adb shell pm art pr-dexopt-job --test
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index 5dd0e5d..b74a740 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@@ -41,11 +41,19 @@
allow dexopt_chroot_setup block_device:dir { getattr search };
# Allow mounting file systems, to create a chroot environment.
+# We recursively bind-mount directories under /data, /mnt/expand, /proc, /sys,
+# and /dev. We need some of them (e.g., incremental-fs directories for
+# incremental apps in /data; /dev/cpuctl and /dev/blkio for task profiles), but
+# not necessarily all of them. However, to avoid random crashes and silent
+# fallbacks, we bind-mount all of them. Therefore, we need access to many of the
+# fstypes.
+
allow dexopt_chroot_setup {
apex_mnt_dir
binderfs
cgroup
cgroup_v2
+ userdebug_or_eng(debugfs)
debugfs_tracing_debug
device
devpts
@@ -74,6 +82,7 @@
binderfs
cgroup
cgroup_v2
+ userdebug_or_eng(debugfs)
debugfs_tracing_debug
devpts
fs_bpf