From 5259c5e61625c4bd45b96c1712977dc2cde9e555 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 16 Jul 2014 09:38:06 -0700
Subject: [PATCH] dex2oat: fix forward locked apps

dex2oat can't access file descriptors associated with asec_apk_files.
This breaks installing forward locked apps, and generates the following
denial:

  type=1400 audit(0.0:18): avc: denied { read } for path="/mnt/asec/com.example.android.simplejni-1/pkg.apk" dev="dm-0" ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file

Steps to reproduce:

  $ adb install -r -l SimpleJNI.apk

Expected:

  app installs

Actual:

  app fails to install.

Change-Id: I5a468508014e9963460d13d78e1c4867187322b3
Bug: 16328233
---
 dex2oat.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dex2oat.te b/dex2oat.te
index 51acc86bf..164e89c4d 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -4,3 +4,6 @@ type dex2oat_exec, exec_type, file_type;
 
 allow dex2oat dalvikcache_data_file:file write;
 allow dex2oat installd:fd use;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+allow dex2oat asec_apk_file:file read;
-- 
GitLab