Introduce a `postinstall_apex_mnt_dir` label for `/postinstall/apex`. Directory `/postinstall/apex` is used as a mount point for a tmpfs filesystem during A/B OTA updates. APEX packages from the new system partition are mounted ("activated") in subdirectories of `/postinstall/apex`, so that they are available when `otapreopt` is running. Directory `/postinstall/apex` used to be of type `tmpfs` for SELinux purposes. The new `postinstall_apex_mnt_dir` label is more restrictive, and tightens permissions granted to `otapreopt_chroot`, `otapreopt` (running as `postinstall_dexopt`), and `dex2oat`, regarding the apexd logic recently added to `otapreopt_chroot`. Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 113373927 Bug: 120796514 Change-Id: I03f0b0433d9c066a0c607f864d60ca62fc68c990

commit: a42ebf412832ee2d21cf9b7e53574bc0a7b85310 [log] [tgz]
author: Roland Levillain <rpl@google.com> Thu Jan 24 14:32:17 2019 +0000
committer: Roland Levillain <rpl@google.com> Tue Jan 29 10:09:50 2019 +0000
tree: fd2d16bd8434c2173408b227c889629ad25fc4e0
parent: 2c9251430440965dd337e8058e4630524227784c [diff] [blame]
diff --git a/private/file_contexts b/private/file_contexts
index af9572d..89c11bd 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -28,6 +28,7 @@
 /config             u:object_r:rootfs:s0
 /mnt                u:object_r:tmpfs:s0
 /postinstall        u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex   u:object_r:postinstall_apex_mnt_dir:s0
 /proc               u:object_r:rootfs:s0
 /sys                u:object_r:sysfs:s0
 /apex               u:object_r:apex_mnt_dir:s0
commit	a42ebf412832ee2d21cf9b7e53574bc0a7b85310	[log] [tgz]
author	Roland Levillain <rpl@google.com>	Thu Jan 24 14:32:17 2019 +0000
committer	Roland Levillain <rpl@google.com>	Tue Jan 29 10:09:50 2019 +0000
tree	fd2d16bd8434c2173408b227c889629ad25fc4e0
parent	2c9251430440965dd337e8058e4630524227784c [diff] [blame]