1# otapreopt_chroot executable 2type otapreopt_chroot, domain; 3type otapreopt_chroot_exec, exec_type, file_type; 4 5# Chroot preparation and execution. 6# We need to create an unshared mount namespace, and then mount /data. 7allow otapreopt_chroot postinstall_file:dir { search mounton }; 8allow otapreopt_chroot self:capability { sys_admin sys_chroot }; 9 10# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox. 11domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt) 12 13# Allow otapreopt to use file descriptors from installd. 14allow otapreopt_chroot installd:fd use; 15