From be092af039148e3cadcd49ee7042b8f39c7e95a2 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Mon, 7 Jul 2014 10:58:53 -0700
Subject: [PATCH] Rules to allow installing package directories.

Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
    tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976
---
 file_contexts    | 16 ++++++++--------
 system_server.te |  6 ++++--
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/file_contexts b/file_contexts
index 85a1b04e0..7db698fa8 100644
--- a/file_contexts
+++ b/file_contexts
@@ -179,10 +179,10 @@
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
-/data/app(/.*)?		u:object_r:apk_data_file:s0
-/data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
-/data/app-private(/.*)?		u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
+/data/app(/.*)?                       u:object_r:apk_data_file:s0
+/data/app/vmdl.*\.tmp(/.*)?           u:object_r:apk_tmp_file:s0
+/data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
+/data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
@@ -236,7 +236,7 @@
 
 #############################
 # asec containers
-/mnt/asec(/.*)?           u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/res\.zip   u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
-/data/app-asec(/.*)?      u:object_r:asec_image_file:s0
+/mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/[^/]+\.zip  u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)?   u:object_r:asec_public_file:s0
+/data/app-asec(/.*)?        u:object_r:asec_image_file:s0
diff --git a/system_server.te b/system_server.te
index b13ce87cd..db82029e1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -171,11 +171,13 @@ allow system_server system_data_file:notdevfile_class_set create_file_perms;
 # Manage /data/app.
 allow system_server apk_data_file:dir create_dir_perms;
 allow system_server apk_data_file:file create_file_perms;
+allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
 # Manage /data/app-private.
 allow system_server apk_private_data_file:dir create_dir_perms;
 allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:dir create_dir_perms;
 allow system_server apk_private_tmp_file:file create_file_perms;
 
 # Manage files within asec containers.
@@ -252,8 +254,8 @@ allow system_server media_rw_data_file:file { getattr read write };
 security_access_policy(system_server)
 
 # Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
 
 # Relabel wallpaper.
 allow system_server system_data_file:file relabelfrom;
-- 
GitLab