APEXes are mounted without NOSUID
This allows init to execute a binary in APEXes and successfully does the
domain transition. When the APEX partitions were mounted with NOSUID,
SELinux labels in the partitions weren't respected for exec() [1].
Since APEX partitions are all dm-verity protected, mounting without
NOSUID is safe.
[1] https://wiki.gentoo.org/wiki/SELinux/FAQ#Applications_do_not_transition_on_a_nosuid-mounted_partition
Bug: 117403679
Test: m apex.test; adb push <built_apex> /data/apex; adb reboot
adb shell, then lsof -p $(pidof surfaceflinger) shows that
the process is executing
/apex/com.android.example.apex@1/bin/surfaceflinger instead of
/system/bin/surfaceflinger
Change-Id: I0e0436c82a307d0f91a1c40be36122a0cea1d65f
3 files changed