From ce15e5e510d77e984350c242e3b8fee88f8cf396 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Mon, 3 Dec 2018 20:50:37 +0900
Subject: [PATCH] Allow apexd to label apk_tmp_file to apex_data_file

Currently, when an APEX is staged, apexd moves the file from
/data/app/vmdl*.tmp directory to /data/apex. However, the original file
is labeled with apk_tmp_file and is not readable from apexd.

We plan to resolve this issue by moving the file content via file
descriptor in between the package manager and apexd.

However, until the plan is implemented, temporarily allow apexd to
relabel the file to apex_data_file that is readable to it. This unblocks
the end-to-end test for APEX.

Bug: 112669193
Test: adb install --apex system/apex/apexd/apexd_testdata/test.apex
adb reboot; adb root; adb shell; cmd apexservice getActivePackages
The test APEX is activated

Change-Id: Ib9d4f5c699261f1fa1e6d557731767ee4d7168f9
---
 private/apexd.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/private/apexd.te b/private/apexd.te
index 61e099bf9..7a1e4e241 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -40,6 +40,11 @@ allow apexd apex_mnt_dir:dir mounton;
 # allow apexd to create symlinks in /apex
 allow apexd apex_mnt_dir:lnk_file create_file_perms;
 
+# allow apexd to relabel apk_tmp_file to apex_data_file.
+# TODO(b/112669193) remove this when APEXes are staged via file descriptor
+allow apexd apk_tmp_file:file relabelfrom;
+allow apexd apex_data_file:file relabelto;
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
-- 
GitLab