domain_deprecated: remove rootfs access

am: a12aad45b6

Change-Id: I0cc33674afefeb455bd53702c304d9317ae2e937

private/platform_app.te

@@ -38,6 +38,9 @@ allow platform_app mnt_media_rw_file:dir r_dir_perms;
 allow platform_app vfat:dir create_dir_perms;
 allow platform_app vfat:file create_file_perms;
 
+# com.android.systemui
+allow platform_app rootfs:dir getattr;
+
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;

private/system_app.te

@@ -11,6 +11,9 @@ app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)
 
+# android.ui and system.ui
+allow system_app rootfs:dir getattr;
+
 # Read and write /data/data subdirectory.
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:{ file lnk_file } create_file_perms;

public/update_engine_common.te

@@ -13,6 +13,10 @@ allow update_engine_common system_block_device:blk_file rw_file_perms;
 # requires it.
 allow update_engine_common misc_block_device:blk_file rw_file_perms;
 
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
 # Allow update_engine_common to mount on the /postinstall directory and reset the
 # labels on the mounted filesystem to postinstall_file.
 allow update_engine_common postinstall_mnt_dir:dir mounton;