dex2oat: fix forward locked apps

dex2oat can't access file descriptors associated with asec_apk_files. This breaks installing forward locked apps, and generates the following denial: type=1400 audit(0.0:18): avc: denied { read } for path="/mnt/asec/com.example.android.simplejni-1/pkg.apk" dev="dm-0" ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file Steps to reproduce: $ adb install -r -l SimpleJNI.apk Expected: app installs Actual: app fails to install. Change-Id: I5a468508014e9963460d13d78e1c4867187322b3 Bug: 16328233
author: Nick Kralevich <nnk@google.com> 2014-07-16 09:38:06 -0700
committer: Nick Kralevich <nnk@google.com> 2014-07-16 09:41:51 -0700
commit: 5259c5e61625c4bd45b96c1712977dc2cde9e555 (patch)
tree: 4a7b4a28d2367728243207f6f6163103794c15a1
parent: db416305ea18e15e2b917a2870fcd526ab4e615c (diff)
download: sepolicy-5259c5e61625c4bd45b96c1712977dc2cde9e555.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/dex2oat.te b/dex2oat.te
index 51acc86..164e89c 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -4,3 +4,6 @@ type dex2oat_exec, exec_type, file_type;
 
 allow dex2oat dalvikcache_data_file:file write;
 allow dex2oat installd:fd use;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+allow dex2oat asec_apk_file:file read;
author	Nick Kralevich <nnk@google.com>	2014-07-16 09:38:06 -0700
committer	Nick Kralevich <nnk@google.com>	2014-07-16 09:41:51 -0700
commit	5259c5e61625c4bd45b96c1712977dc2cde9e555 (patch)
tree	4a7b4a28d2367728243207f6f6163103794c15a1
parent	db416305ea18e15e2b917a2870fcd526ab4e615c (diff)
download	sepolicy-5259c5e61625c4bd45b96c1712977dc2cde9e555.tar.gz