From ec4b9d67057a9999ef0244873ecf2183f67f59bb Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Tue, 12 Jul 2016 09:48:52 -0700
Subject: [PATCH] Sepolicy: allow otapreopt_chroot to mount vendor

Vendor apps are usually not preopted, so A/B dexopt should pick
them up. update_engine is not mounting the vendor partition, so
let otapreopt_chroot do the work.

This change gives otapreopt_chroot permission to mount /vendor
into the chroot environment.

Bug: 25612095
Bug: 29498238
Change-Id: I5a77bdb78a8e478ce10f6c1d0f911a8d6686becb
---
 domain.te           | 2 +-
 otapreopt_chroot.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 1b81ed2ee..f3cf303cf 100644
--- a/domain.te
+++ b/domain.te
@@ -265,7 +265,7 @@ neverallow { domain -init -ueventd } device:chr_file { open read write };
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
 # this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
 
 #
 # Assert that, to the extent possible, we're not loading executable content from
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
index 3f426709c..fcba7b145 100644
--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -7,6 +7,10 @@ type otapreopt_chroot_exec, exec_type, file_type;
 allow otapreopt_chroot postinstall_file:dir { search mounton };
 allow otapreopt_chroot self:capability { sys_admin sys_chroot };
 
+# This is required to mount /vendor.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem mount;
+
 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
 
-- 
GitLab