dex2oat: fix forward-locked upgrades with unlabeled asecs dex2oat fails when upgrading unlabeled asec containers. Steps to reproduce: 1) Install a forward locked app on Android 4.1 adb install -l foo.apk 2) Upgrade to tip-of-tree Addresses the following denial: <4>[ 379.886665] type=1400 audit(1405549869.210:4): avc: denied { read } for pid=2389 comm="dex2oat" path="/mnt/asec/jackpal.androidterm-1/pkg.apk" dev=dm-0 ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:unlabeled:s0 tclass=file (cherry picked from commit 270be6e86a121922b3621cbeaab9d908e53d04cb) Change-Id: I58dc6ebe61a5b5840434077a55f1afbeed602137

commit: e4aa75db6101fa2849fc4572c6b1e1b25cb4667d [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Jul 16 15:34:06 2014 -0700
committer: Nick Kralevich <nnk@google.com> Wed Jul 16 16:04:40 2014 -0700
tree: b6e05f6bb22aa31b10b0be176983f30729f6a5e7
parent: 555c3c5a5caac448896198aac96a40cd5f808709 [diff]
diff --git a/dex2oat.te b/dex2oat.te
index 164e89c..2df9947 100644
--- a/dex2oat.te
+++ b/dex2oat.te

@@ -6,4 +6,7 @@
 allow dex2oat installd:fd use;
 
 # Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
 allow dex2oat asec_apk_file:file read;
+allow dex2oat unlabeled:file read;
commit	e4aa75db6101fa2849fc4572c6b1e1b25cb4667d	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Jul 16 15:34:06 2014 -0700
committer	Nick Kralevich <nnk@google.com>	Wed Jul 16 16:04:40 2014 -0700
tree	b6e05f6bb22aa31b10b0be176983f30729f6a5e7
parent	555c3c5a5caac448896198aac96a40cd5f808709 [diff]