From fbbe9e9117bd55c46ee971577f2fdd64993eb64a Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Wed, 6 Aug 2014 18:09:35 -0700
Subject: [PATCH] Allow untrusted_app access to temporary apk files.

Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow.  This verifier runs as
a priv-app, which is in the untrusted_app domain.  Allow untrusted_app
read-access to these files.

Bug: 16515815

Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
---
 untrusted_app.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/untrusted_app.te b/untrusted_app.te
index c97b4513b..ea20e5627 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -95,3 +95,7 @@ neverallow untrusted_app service_manager_type:service_manager add;
 neverallow untrusted_app property_socket:sock_file write;
 neverallow untrusted_app init:unix_stream_socket connectto;
 neverallow untrusted_app property_type:property_service set;
+
+# Allow verifier to access staged apks.
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
\ No newline at end of file