1 # otapreopt_chroot executable 2 type otapreopt_chroot, domain; 3 type otapreopt_chroot_exec, exec_type, file_type; 4 5 # Chroot preparation and execution. 6 # We need to create an unshared mount namespace, and then mount /data. 7 allow otapreopt_chroot postinstall_file:dir { search mounton }; 8 allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }; 9 10 # This is required to mount /vendor. 11 allow otapreopt_chroot block_device:dir search; 12 allow otapreopt_chroot labeledfs:filesystem mount; 13 # Mounting /vendor can have this side-effect. Ignore denial. 14 dontaudit otapreopt_chroot kernel:process setsched; 15 16 # Allow otapreopt to use file descriptors from update-engine. It will 17 # close them immediately. 18 allow otapreopt_chroot postinstall:fd use; 19 allow otapreopt_chroot update_engine:fd use; 20 allow otapreopt_chroot update_engine:fifo_file write; 21
