Allow oatpreopt_chroot to deactivate APEX packages in /postinstall/apex.

Allow `otapreopt_chroot` to: - unmount APEX packages (ext4 images) mounted in `/postinstall/apex`; - access `/dev/block`. Deactivating APEX packages (unmounting them from `/postinstall/apex` and detaching the corresponding loop devices) is part of the tear-down phase run at the end of `oatpreopt_chroot`. Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 113373927 Bug: 120796514 Change-Id: Ida07d2ceda31c7296228d973b26ff642f6533274
2019-01-21 15:01:26 +00:00 · 2019-01-21 15:01:26 +00:00 · 7094d4f505
commit 7094d4f505
parent ab9c053078
1 changed files with 5 additions and 0 deletions
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@ -27,3 +27,8 @@ allow otapreopt_chroot tmpfs:filesystem mount;
 allow otapreopt_chroot tmpfs:dir create_dir_perms;
 # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
 allow otapreopt_chroot tmpfs:dir mounton;
+
+# Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex.
+allow otapreopt_chroot labeledfs:filesystem unmount;
+# Allow otapreopt_chroot to access /dev/block.
+allow otapreopt_chroot block_device:dir r_dir_perms;