0f81e06630
Ignore, as it's a side effect of mounting /vendor. Bug: 31116514 Change-Id: If94a27a26181e40de5c5e60f5446de9ce2ccdba0
23 lines
991 B
Text
23 lines
991 B
Text
# otapreopt_chroot executable
|
|
type otapreopt_chroot, domain;
|
|
type otapreopt_chroot_exec, exec_type, file_type;
|
|
|
|
# Chroot preparation and execution.
|
|
# We need to create an unshared mount namespace, and then mount /data.
|
|
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
|
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
|
|
|
|
# This is required to mount /vendor.
|
|
allow otapreopt_chroot block_device:dir search;
|
|
allow otapreopt_chroot labeledfs:filesystem mount;
|
|
# Mounting /vendor can have this side-effect. Ignore denial.
|
|
dontaudit otapreopt_chroot kernel:process setsched;
|
|
|
|
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
|
|
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
|
|
|
# Allow otapreopt to use file descriptors from update-engine. It will
|
|
# close them immediately.
|
|
allow otapreopt_chroot postinstall:fd use;
|
|
allow otapreopt_chroot update_engine:fd use;
|
|
allow otapreopt_chroot update_engine:fifo_file write;
|