Merge changes from topic 'na-move-to-installd' into mnc-dev

* changes: Allow installd to link apk_data_file and dalvikcache_data_file. Revert "Allow system_server to link,relabel and create_dir dalvikcache_data_file."

Merge changes from topic 'na-move-to-installd' into mnc-dev
ba8821b0 · Narayan Kamath · Android (Google) Code Review · 4b4b2b92 · 9aafd4a3 · ba8821b0
Commit ba8821b0 authored Jun 9, 2015 by Narayan Kamath Committed by Android (Google) Code Review Jun 9, 2015
--- a/domain.te
+++ b/domain.te
@@ -356,10 +356,6 @@ neverallow {
  -zygote
  -installd
  -dex2oat
-  -system_server # TODO: The system server needs to create directories
-                 # and link files for split APK installs. This could perhaps be
-                 # removed if we made installd responsible for manipulating the
-                 # staging directory.
 } dalvikcache_data_file:file no_w_file_perms;
 # Only system_server should be able to send commands via the zygote socket

--- a/installd.te
+++ b/installd.te
@@ -8,11 +8,11 @@ allow installd self:capability { chown dac_override fowner fsetid setgid setuid
 # Allow labeling of files under /data/app/com.example/oat/
 allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file relabelto;
+allow installd dalvikcache_data_file:file { relabelto link };
 # Allow movement of APK files between volumes
 allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom link };
 allow installd apk_data_file:lnk_file { create read unlink };
 allow installd asec_apk_file:file r_file_perms;

--- a/system_server.te
+++ b/system_server.te
@@ -16,25 +16,6 @@ allow system_server system_server_tmpfs:file execute;
 allow system_server dalvikcache_data_file:file execute;
 allow system_server dalvikcache_data_file:dir r_dir_perms;
-# For PackageInstallerSession.
-#
-# All of these rules relate to the installation and compilation of split
-# APKs. Roughly, the process is as follows. The rules below only pertain
-# to step (3) of the process
-#
-# (1) Create a staging directory.
-# (2) Link existing APKs from the split
-#
-# (3) Link existing compiled oat files : This requires "create_dir_perms"
-# to create oat directories (foo/oat and foo/oat/x86), "relabelto" to
-# make sure they have the right label, and "link" to link files.
-#
-# (3) Invoke dex2oat to compile the updated / new split
-# (4) Rename the staging directory back to the final path.
-allow system_server dalvikcache_data_file:file link;
-allow system_server dalvikcache_data_file:dir relabelto;
-allow system_server dalvikcache_data_file:dir create_dir_perms;
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
 allow system_server resourcecache_data_file:dir r_dir_perms;