1# otapreopt_chroot executable 2type otapreopt_chroot, domain; 3type otapreopt_chroot_exec, exec_type, file_type; 4 5# Chroot preparation and execution. 6# We need to create an unshared mount namespace, and then mount /data. 7allow otapreopt_chroot postinstall_file:dir { search mounton }; 8allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }; 9 10# This is required to mount /vendor. 11allow otapreopt_chroot block_device:dir search; 12allow otapreopt_chroot labeledfs:filesystem mount; 13# Mounting /vendor can have this side-effect. Ignore denial. 14dontaudit otapreopt_chroot kernel:process setsched; 15 16# Allow otapreopt to use file descriptors from update-engine. It will 17# close them immediately. 18allow otapreopt_chroot postinstall:fd use; 19allow otapreopt_chroot update_engine:fd use; 20allow otapreopt_chroot update_engine:fifo_file write; 21