Allow `otapreopt_chroot` to use a flattened Runtime APEX package. - Allow (again) `otapreopt` (running as `postinstall_dexopt`) to execute `dex2oat` from `/postinstall` -- this is for the case where it is located in a flattened Runtime APEX in `/postinstall/system/apex`. - Allow `dex2oat` to read directories under `/postinstall`. - Allow `otapreopt_chroot` to unmount flattened APEX packages under `/postinstall/system/apex` (which are bind-mounted in `/postinstall/apex`). Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 127543974 Bug: 123684826 Bug: 113373927 Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18

commit: 66f40a8b2d115b1daa31f4f92eef100948306dd0 [log] [tgz]
author: Roland Levillain <rpl@google.com> Wed Mar 13 18:52:23 2019 +0000
committer: Roland Levillain <rpl@google.com> Tue Mar 19 14:44:22 2019 +0000
tree: 8a9733a504227cde89d4c22adc370f00d5cd17b4
parent: 87b6d4018dfc21251543a0335c8db531a8909135 [diff] [blame]
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index ba85678..efde869 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te

@@ -11,6 +11,9 @@
 # APEX packages in /postinstall/apex.
 allow otapreopt_chroot block_device:dir search;
 allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# This is required to unmount flattened APEX packages under
+# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
+allow otapreopt_chroot postinstall_file:filesystem unmount;
 # Mounting /vendor can have this side-effect. Ignore denial.
 dontaudit otapreopt_chroot kernel:process setsched;
commit	66f40a8b2d115b1daa31f4f92eef100948306dd0	[log] [tgz]
author	Roland Levillain <rpl@google.com>	Wed Mar 13 18:52:23 2019 +0000
committer	Roland Levillain <rpl@google.com>	Tue Mar 19 14:44:22 2019 +0000
tree	8a9733a504227cde89d4c22adc370f00d5cd17b4
parent	87b6d4018dfc21251543a0335c8db531a8909135 [diff] [blame]