Merge "Allow dexopt_chroot_setup to mount/unmount debugfs." into main

2024-06-04 13:54:51 +00:00 · 2024-06-04 13:54:51 +00:00 · c6a554f200
commit c6a554f200
parent 8d9a89ed9e 413f44d5c4
1 changed files with 9 additions and 0 deletions
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@ -41,12 +41,20 @@ allow dexopt_chroot_setup proc_filesystems:file r_file_perms;
 allow dexopt_chroot_setup block_device:dir { getattr search };

 # Allow mounting file systems, to create a chroot environment.
+# We recursively bind-mount directories under /data, /mnt/expand, /proc, /sys,
+# and /dev. We need some of them (e.g., incremental-fs directories for
+# incremental apps in /data; /dev/cpuctl and /dev/blkio for task profiles), but
+# not necessarily all of them. However, to avoid random crashes and silent
+# fallbacks, we bind-mount all of them. Therefore, we need access to many of the
+# fstypes.
+
 allow dexopt_chroot_setup {
  apex_mnt_dir
  apk_data_file
  binderfs
  cgroup
  cgroup_v2
+  userdebug_or_eng(debugfs)
  debugfs_tracing_debug
  device
  devpts
@ -75,6 +83,7 @@ allow dexopt_chroot_setup {
  binderfs
  cgroup
  cgroup_v2
+  userdebug_or_eng(debugfs)
  debugfs_tracing_debug
  devpts
  fs_bpf