Add otapreopt_chroot holes for selinux

Changes to otapreopt_chroot will require that otapreopt_chroot has
additional permissions to mount on /sys and /dev in the ota chroot.

See  go/aog/1646766 for more information.
Bug: 181182967
Test: m droid

Change-Id: Ica4d6444b0320d7b4ad77b888690b2dfb05c681e

3 files changed, 5 insertions, 0 deletions

diff --git a/neverallows/non_plat/neverallows.te b/neverallows/non_plat/neverallows.te
index 3826b67..e28b160 100644
--- a/neverallows/non_plat/neverallows.te
+++ b/neverallows/non_plat/neverallows.te
@@ -219,6 +219,7 @@ full_treble_only(`
     hal_camera_default
     init
     mtk_hal_camera
+    otapreopt_chroot
     recovery
     shell
     slideshow
diff --git a/neverallows/plat_private/neverallows.te b/neverallows/plat_private/neverallows.te
index 18f6433..570070c 100644
--- a/neverallows/plat_private/neverallows.te
+++ b/neverallows/plat_private/neverallows.te
@@ -131,6 +131,7 @@ full_treble_only(`
     -fastbootd
     -hal_camera
     -init
+    -otapreopt_chroot
     -recovery
     -shell
     -slideshow
diff --git a/neverallows/plat_public/neverallows.te b/neverallows/plat_public/neverallows.te
index a11a4bf..a1b1770 100644
--- a/neverallows/plat_public/neverallows.te
+++ b/neverallows/plat_public/neverallows.te
@@ -35,12 +35,14 @@ full_treble_only(`
 
   neverallow ~{
     init
+    otapreopt_chroot
     ueventd
     vendor_init
     } sysfs:dir ~r_dir_perms;
 
   neverallow {
     init
+    otapreopt_chroot
     ueventd
     vendor_init
     } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
@@ -447,6 +449,7 @@ full_treble_only(`
     -fastbootd
     -hal_camera
     -init
+    -otapreopt_chroot
     -recovery
     -shell
     -slideshow