Clean up APEX-related `otapreopt_chroot` policies.
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: Icbbe1babe0dceebff2546264ddabe779babba761
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 8f3d797..070cac6 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -28,7 +28,6 @@
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot tmpfs:dir mounton;
-# Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex.
-allow otapreopt_chroot labeledfs:filesystem unmount;
-# Allow otapreopt_chroot to access /dev/block.
+# Allow otapreopt_chroot to access /dev/block (needed to detach loop
+# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index d815d1d..a8d5fda 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -7,9 +7,10 @@
allow otapreopt_chroot postinstall_file:dir { search mounton };
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-# This is required to mount /vendor.
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem mount;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;