From 6f6c425563f4faa4e1e12bf430c32d0b81a78f64 Mon Sep 17 00:00:00 2001
From: Christopher Tate <ctate@android.com>
Date: Fri, 30 May 2014 15:21:22 -0700
Subject: [PATCH] Adjust rules around /data/app entities

This is to accomodate migration to (and ongoing support of) a
new installed-app file topology, in which APK files are placed
in /data/app/$PACKAGE-rev/, there is a canonical-path symlink
/data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native
libraries exist not under a top-level /data/app-lib/$PACKAGE-rev
hard directory, but rather under /data/app/$PACKAGE/lib (when
referenced by canonical path).

Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0
---
 app.te      | 3 +++
 domain.te   | 1 +
 installd.te | 4 +++-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index eadf5390b..1aa6b2377 100644
--- a/app.te
+++ b/app.te
@@ -137,6 +137,9 @@ allow appdomain dalvikcache_profiles_data_file:file write;
 allow appdomain shared_relro_file:dir search;
 allow appdomain shared_relro_file:file r_file_perms;
 
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:file { rx_file_perms execmod };
+
 ###
 ### CTS-specific rules
 ###
diff --git a/domain.te b/domain.te
index a53a32892..20869114e 100644
--- a/domain.te
+++ b/domain.te
@@ -96,6 +96,7 @@ allow domain system_data_file:lnk_file r_file_perms;
 # Read apk files under /data/app.
 allow domain apk_data_file:dir { getattr search };
 allow domain apk_data_file:file r_file_perms;
+allow domain apk_data_file:lnk_file r_file_perms;
 
 # Read /data/dalvik-cache.
 allow domain dalvikcache_data_file:dir { search getattr };
diff --git a/installd.te b/installd.te
index f84075a4c..36f71730c 100644
--- a/installd.te
+++ b/installd.te
@@ -5,7 +5,9 @@ type installd_exec, exec_type, file_type;
 init_daemon_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd apk_data_file:file r_file_perms;
+allow installd apk_data_file:file rename;
+allow installd apk_data_file:dir create_dir_perms;
+allow installd apk_data_file:lnk_file { create read unlink };
 allow installd asec_apk_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd oemfs:dir r_dir_perms;
-- 
GitLab