commit ecc82e0f053942e411b42c84f0bd9f7b9b5bb537
author Jeff Sharkey <jsharkey@android.com> Thu Apr 30 16:07:49 2015 -0700
committer Jeff Sharkey <jsharkey@android.com> Fri May 01 09:21:28 2015 -0700
tree c76aa0b80b92f60822a7b20d202d6491261f6cdc
parent 3c242caffdaba7681b1369b8590be4d75cb5f7dd

Allow installd to move APKs.

As an optimization, installd is now moving previously-installed
applications between attached storage volumes.  This is effectively
copying to the new location, then deleting the old location.

Since OAT files can now live under /data/app directories, we also
need the ability to relabel those files.

avc: denied { create } for name="base.apk" scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { write } for path="/data/app/com.example.playground-2/base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { setattr } for name="base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelfrom } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelto } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=1

(Cherry-pick of 8f821db783e67998c55785f18eeca97e57d061dd)

Bug: 19993667, 20275578
Change-Id: I52bb29ed9f57b3216657eb757d78b06eeaf53458

installd.te

diff --git a/installd.te b/installd.te
index 3f685f1..a47853f 100644
--- a/installd.te
+++ b/installd.te
@@ -5,10 +5,16 @@
 init_daemon_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd apk_data_file:file { rename unlink };
+
+# Allow labeling of files under /data/app/com.example/oat/
 allow installd dalvikcache_data_file:dir relabelto;
+allow installd dalvikcache_data_file:file relabelto;
+
+# Allow movement of APK files between volumes
 allow installd apk_data_file:dir { create_dir_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom };
 allow installd apk_data_file:lnk_file { create read unlink };
+
 allow installd asec_apk_file:file r_file_perms;
 allow installd apk_tmp_file:file { r_file_perms unlink };
 allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };