Clean up APEX-related `otapreopt_chroot` policies. Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 113373927 Bug: 120796514 Change-Id: Icbbe1babe0dceebff2546264ddabe779babba761

commit: 66fcb9846426348747a6ef8b20d3604e62365b22 [log] [tgz]
author: Roland Levillain <rpl@google.com> Fri Jan 25 12:59:47 2019 +0000
committer: Roland Levillain <rpl@google.com> Fri Jan 25 14:36:37 2019 +0000
tree: ae8c28bbfb9791075ac0f9efdd29e2b0fd8d7680
parent: c5ec14ba9a647cdca8c8fbca0308d1668f6d040b [diff] [blame]
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 8f3d797..070cac6 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te

@@ -28,7 +28,6 @@
 # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
 allow otapreopt_chroot tmpfs:dir mounton;
 
-# Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex.
-allow otapreopt_chroot labeledfs:filesystem unmount;
-# Allow otapreopt_chroot to access /dev/block.
+# Allow otapreopt_chroot to access /dev/block (needed to detach loop
+# devices used by ext4 images from APEX packages).
 allow otapreopt_chroot block_device:dir r_dir_perms;
commit	66fcb9846426348747a6ef8b20d3604e62365b22	[log] [tgz]
author	Roland Levillain <rpl@google.com>	Fri Jan 25 12:59:47 2019 +0000
committer	Roland Levillain <rpl@google.com>	Fri Jan 25 14:36:37 2019 +0000
tree	ae8c28bbfb9791075ac0f9efdd29e2b0fd8d7680
parent	c5ec14ba9a647cdca8c8fbca0308d1668f6d040b [diff] [blame]