init can call setns

init now creates two mount namespaces one for pre-apexd processes and
the other for post-apexd processes. This is to mount different files to
the same mount point at /bionic. For pre-apexd processes, the bootstrap
Bionic is mounted. For post-apexd processes, the default Bionic (from
the runtime APEX) is mounted.

Using unshare and setns, init first starts with the mount namespace for
the pre-apexd and then switches to the other mount namespace when APEXes
are ready. It then occasionally switches to pre-apexd mount namespace
when it has to re-launch a pre-apexd process (e.g. the process has
crashed, etc.)

In doing so, read access to /proc/self/ns/mnt is granted to init as
well.

Bug: 120266448
Bug: 122717176
Test: m device boots
Change-Id: Idbf15cbf5cc36b9993d718d4d887cd8f23a94666

private/coredomain.te

@@ -90,6 +90,7 @@ full_treble_only(`
   # /proc
   neverallow {
     coredomain
+    -init
     -vold
   } proc:file no_rw_file_perms;
 

public/init.te

@@ -70,6 +70,9 @@ allow init tty_device:chr_file rw_file_perms;
 # Call mount(2).
 allow init self:global_capability_class_set sys_admin;
 
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
@@ -304,6 +307,7 @@ userdebug_or_eng(`
 ')
 
 allow init {
+  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
   proc_cmdline
   proc_diskstats
   proc_kmsg # Open /proc/kmsg for logd service.