1 # otapreopt_chroot executable 2 type otapreopt_chroot, domain; 3 type otapreopt_chroot_exec, exec_type, file_type; 4 5 # Chroot preparation and execution. 6 # We need to create an unshared mount namespace, and then mount /data. 7 allow otapreopt_chroot postinstall_file:dir { search mounton }; 8 allow otapreopt_chroot self:capability { sys_admin sys_chroot }; 9 10 # This is required to mount /vendor. 11 allow otapreopt_chroot block_device:dir search; 12 allow otapreopt_chroot labeledfs:filesystem mount; 13 14 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox. 15 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt) 16 17 # Allow otapreopt to use file descriptors from update-engine. It will 18 # close them immediately. 19 allow otapreopt_chroot postinstall:fd use; 20 allow otapreopt_chroot update_engine:fd use; 21 allow otapreopt_chroot update_engine:fifo_file write; 22
