From 1c1eb869f053aa817c2060708a25b251876eb7c2 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Wed, 6 Aug 2014 18:09:35 -0700
Subject: [PATCH] DO NOT MERGE. Allow untrusted_app access to temporary apk
 files.

Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow.  This verifier runs as
a priv-app, which is in the untrusted_app domain.  Allow untrusted_app
read-access to these files.

Bug: 16515815

Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
---
 untrusted_app.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/untrusted_app.te b/untrusted_app.te
index f29149e3d..5af4e954a 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -82,3 +82,7 @@ neverallow untrusted_app service_manager_type:service_manager add;
 neverallow untrusted_app property_socket:sock_file write;
 neverallow untrusted_app init:unix_stream_socket connectto;
 neverallow untrusted_app property_type:property_service set;
+
+# Allow verifier to access staged apks.
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-- 
GitLab