commit 7094d4f50507a6935a73dad7e250235dd8f818a2
author Roland Levillain <rpl@google.com> Mon Jan 21 15:01:26 2019 +0000
committer Roland Levillain <rpl@google.com> Wed Jan 23 16:19:28 2019 +0000
tree 723889356529b711d441205aa77c1d69e1ede50b
parent ab9c05307816075d4551f7453424bd710890c2d2

Allow `oatpreopt_chroot` to deactivate APEX packages in `/postinstall/apex`.

Allow `otapreopt_chroot` to:
- unmount APEX packages (ext4 images) mounted in `/postinstall/apex`;
- access `/dev/block`.

Deactivating APEX packages (unmounting them from `/postinstall/apex`
and detaching the corresponding loop devices) is part of the tear-down
phase run at the end of `oatpreopt_chroot`.

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: Ida07d2ceda31c7296228d973b26ff642f6533274

private/otapreopt_chroot.te

diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 9a9fb5f..8f3d797 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -27,3 +27,8 @@
 allow otapreopt_chroot tmpfs:dir create_dir_perms;
 # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
 allow otapreopt_chroot tmpfs:dir mounton;
+
+# Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex.
+allow otapreopt_chroot labeledfs:filesystem unmount;
+# Allow otapreopt_chroot to access /dev/block.
+allow otapreopt_chroot block_device:dir r_dir_perms;