platform_system_sepolicy/private/otapreopt_chroot.te

typeattribute otapreopt_chroot coredomain;

# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)

# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
# Allow otapreopt_chroot to access loop devices.
allow otapreopt_chroot loop_device:blk_file rw_file_perms;
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
  LOOP_GET_STATUS64
  LOOP_SET_STATUS64
  LOOP_SET_FD
  LOOP_SET_BLOCK_SIZE
  LOOP_SET_DIRECT_IO
  LOOP_CLR_FD
  BLKFLSBUF
};

# Allow otapreopt_chroot to configure read-ahead of loop devices.
allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
allow otapreopt_chroot sysfs_loop:file rw_file_perms;

# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
allow otapreopt_chroot tmpfs:filesystem mount;
# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
allow otapreopt_chroot tmpfs:dir relabelfrom;
allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;

# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;

# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
# into /postinstall/bionic/.
allow otapreopt_chroot postinstall_file:file mounton;
# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
allow otapreopt_chroot postinstall_file:lnk_file read;

# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;