Adjust rules around /data/app entities

This is to accomodate migration to (and ongoing support of) a
new installed-app file topology, in which APK files are placed
in /data/app/$PACKAGE-rev/, there is a canonical-path symlink
/data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native
libraries exist not under a top-level /data/app-lib/$PACKAGE-rev
hard directory, but rather under /data/app/$PACKAGE/lib (when
referenced by canonical path).

Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0

app.te

@@ -137,6 +137,9 @@ allow appdomain dalvikcache_profiles_data_file:file write;
 allow appdomain shared_relro_file:dir search;
 allow appdomain shared_relro_file:file r_file_perms;
 
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:file { rx_file_perms execmod };
+
 ###
 ### CTS-specific rules
 ###

domain.te

@@ -96,6 +96,7 @@ allow domain system_data_file:lnk_file r_file_perms;
 # Read apk files under /data/app.
 allow domain apk_data_file:dir { getattr search };
 allow domain apk_data_file:file r_file_perms;
+allow domain apk_data_file:lnk_file r_file_perms;
 
 # Read /data/dalvik-cache.
 allow domain dalvikcache_data_file:dir { search getattr };

installd.te

@@ -5,7 +5,9 @@ type installd_exec, exec_type, file_type;
 init_daemon_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd apk_data_file:file r_file_perms;
+allow installd apk_data_file:file rename;
+allow installd apk_data_file:dir create_dir_perms;
+allow installd apk_data_file:lnk_file { create read unlink };
 allow installd asec_apk_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd oemfs:dir r_dir_perms;