dex2oat: fix forward locked apps
dex2oat can't access file descriptors associated with asec_apk_files.
This breaks installing forward locked apps, and generates the following
denial:
type=1400 audit(0.0:18): avc: denied { read } for path="/mnt/asec/com.example.android.simplejni-1/pkg.apk" dev="dm-0" ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file
Steps to reproduce:
$ adb install -r -l SimpleJNI.apk
Expected:
app installs
Actual:
app fails to install.
Bug: 16328233
(cherry picked from commit 5259c5e61625c4bd45b96c1712977dc2cde9e555)
Change-Id: I1969b9ae8d2187f4860587f7ff42d16139657b5b
diff --git a/dex2oat.te b/dex2oat.te
index 51acc86..164e89c 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -4,3 +4,6 @@
allow dex2oat dalvikcache_data_file:file write;
allow dex2oat installd:fd use;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+allow dex2oat asec_apk_file:file read;
