Allow dexopt_chroot_setup to mount/unmount debugfs.

Some old devices use debugfs for /sys/kernel/debug.

Bug: 311377497
Change-Id: Ib9958b5cfdd85c37acd27ff6e637efdbd2a068e3
Test: adb shell pm art pr-dexopt-job --test
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index 5dd0e5d..b74a740 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@@ -41,11 +41,19 @@
 allow dexopt_chroot_setup block_device:dir { getattr search };
 
 # Allow mounting file systems, to create a chroot environment.
+# We recursively bind-mount directories under /data, /mnt/expand, /proc, /sys,
+# and /dev. We need some of them (e.g., incremental-fs directories for
+# incremental apps in /data; /dev/cpuctl and /dev/blkio for task profiles), but
+# not necessarily all of them. However, to avoid random crashes and silent
+# fallbacks, we bind-mount all of them. Therefore, we need access to many of the
+# fstypes.
+
 allow dexopt_chroot_setup {
   apex_mnt_dir
   binderfs
   cgroup
   cgroup_v2
+  userdebug_or_eng(debugfs)
   debugfs_tracing_debug
   device
   devpts
@@ -74,6 +82,7 @@
   binderfs
   cgroup
   cgroup_v2
+  userdebug_or_eng(debugfs)
   debugfs_tracing_debug
   devpts
   fs_bpf