Merge cherrypicks of ['googleplex-android-review.googlesource.com/39468277'] into 26Q2-release.

Change-Id: I85ab236478f190d2e22549a531b2080c53d0316e

private/crosvm.te

diff --git a/private/crosvm.te b/private/crosvm.te
index a9d90ed..7e80068 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -54,6 +54,7 @@
 }:file { getattr read ioctl lock };
 
 # Updated APEXes are accessed via apex_dm_device
+allow crosvm_domain block_device:dir search;
 allow crosvm_domain apex_dm_device:blk_file r_file_perms;
 
 # Allow searching the directory where the composite disk images are.

private/priv_app_all.te

diff --git a/private/priv_app_all.te b/private/priv_app_all.te
index cf4b0e6..49cbc8f 100644
--- a/private/priv_app_all.te
+++ b/private/priv_app_all.te
@@ -183,6 +183,7 @@
 # Required for Phonesky to be able to read staged files under /data/app-staging.
 allow priv_app_all staging_data_file:dir r_dir_perms;
 # data APEXes are moved to device-mapped block files
+allow priv_app_all block_device:dir search;
 allow priv_app_all apex_dm_device:blk_file r_file_perms;
 
 # Allow com.android.vending to access files under vendor/apex as well as system apex files.

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index d78a59c..00a41ba 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -26,7 +26,9 @@
 # files located in the assets/ directory.
 allow system_app apex_data_file:dir search;
 allow system_app staging_data_file:file r_file_perms;
-# data APEXes are moved to device-mapped block files
+# Since data APEXes are moved to device-mapped block files (e.g. /dev/block/dm-1)
+# system_app now needs `search` to the parent dir(/dev/block) and `read` for the blk_file
+allow system_app block_device:dir search;
 allow system_app apex_dm_device:blk_file r_file_perms;
 
 # Read wallpaper file.