From 83348b0b94b003713684f1b9e7b6fcf5df32fdca Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 15 Jul 2016 09:23:44 -0700
Subject: [PATCH] Grant untrusted_app dir access to asec_apk_file.

untrusted_app lost all of the domain_deprecated permissions in N,
including the ability to read asec_apk_file dirs.  This is used for
forward locked apps.

Addresses the following denials:
avc: denied { search } for name="asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0

(cherry-pick of internal commit: addd3c9fba67b8df998a3aa61113b4a0c5cffdf9)

Bug: 30082229
Change-Id: I87758f1daee19197d9299bca261f0324e01af5e0
---
 untrusted_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/untrusted_app.te b/untrusted_app.te
index a61384bb8..5e6c1b695 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -31,6 +31,7 @@ allow untrusted_app app_data_file:file { rx_file_perms execmod };
 
 # ASEC
 allow untrusted_app asec_apk_file:file r_file_perms;
+allow untrusted_app asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
 allow untrusted_app asec_public_file:file { execute execmod };
 
-- 
GitLab