From addd3c9fba67b8df998a3aa61113b4a0c5cffdf9 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Wed, 13 Jul 2016 14:12:11 -0700
Subject: [PATCH] Grant untrusted_app dir access to asec_apk_file.

untrusted_app lost all of the domain_deprecated permissions in N,
including the ability to read asec_apk_file dirs.  This is used for
forward locked apps.

Addresses the following denials:
avc: denied { search } for name="asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0

Bug: 30082229
Change-Id: I44119f218433b9009cf8d09d0ee5f8a13cc15dd9
---
 untrusted_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/untrusted_app.te b/untrusted_app.te
index 6bc68437f..4b0fd565e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -31,6 +31,7 @@ allow untrusted_app app_data_file:file { rx_file_perms execmod };
 
 # ASEC
 allow untrusted_app asec_apk_file:file r_file_perms;
+allow untrusted_app asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
 allow untrusted_app asec_public_file:file { execute execmod };
 
-- 
GitLab