From 97b08903c7a6a1976c41dba9a10cf86b7a552b9a Mon Sep 17 00:00:00 2001
From: Calin Juravle <calin@google.com>
Date: Thu, 26 Oct 2017 17:42:51 -0700
Subject: [PATCH] Allow installd to read system_data_file:lnk_file

The permission was removed in
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/433615/
but is still needed in order to optimize application code.

Denial example:

10-26 16:29:51.234   894  1469 D PackageManager.DexOptimizer: Running
dexopt on: /data/user/0/com.google.android.gms/snet/installed/snet.jar
pkg=com.google.android.gms isa=[arm64]
dexoptFlags=boot_complete,public,secondary,force,storage_ce
target-filter=quicken

10-26 16:29:51.253  2148  2148 W Binder:695_5: type=1400 audit(0.0:39):
avc: denied { read } for name="0" dev="sda35" ino=917506
scontext=u:r:installd:s0 tcontext=u:object_r:system_data_file:s0
tclass=lnk_file permissive=0

Test: adb shell cmd package reconcile-secondary-dex-files
com.google.android.googlequicksearchbox
adb shell cmd package compile -m speed --secondary-dex
com.google.android.gms

Change-Id: I694d1a780e58fa953d9ebda807f5f5293dbb0d56
---
 public/installd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/public/installd.te b/public/installd.te
index 1ef12254a..d02a86ad4 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -45,7 +45,9 @@ allow installd asec_image_file:file getattr;
 # and lib symlinks before the setfilecon call.  May want to
 # move symlink creation after setfilecon in installd.
 allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create getattr setattr unlink };
+# Also, allow read for lnk_file so that we can process /data/user/0 links when
+# optimizing application code.
+allow installd system_data_file:lnk_file { create getattr read setattr unlink };
 
 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
-- 
GitLab