Allow `otapreopt_chroot` to use a flattened Runtime APEX package.
- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to
execute `dex2oat` from `/postinstall` -- this is for the case where
it is located in a flattened Runtime APEX in
`/postinstall/system/apex`.
- Allow `dex2oat` to read directories under `/postinstall`.
- Allow `otapreopt_chroot` to unmount flattened APEX packages under
`/postinstall/system/apex` (which are bind-mounted in
`/postinstall/apex`).
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 127543974
Bug: 123684826
Bug: 113373927
Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index c0836ec..a463cb6 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -7,7 +7,12 @@
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
+# - Case where dex2oat is in a non-flattened APEX, which has retained
+# the correct type (`dex2oat_exec`).
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
+# - Case where dex2oat is in a flattened APEX, which has been tagged
+# with the `postinstall_file` type by update_engine.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };