Allow artd and profman to access package installing tmp folder
This change is needed for refactoring the installation flow and move dexopt to be before the installation commit starts.
When we try to do dexopt at the temporary folder of the app installing, we encounter an error, because artd has no permissioin to access the tmp folder. Also, art uses profman during dexopt, and profman has also no permission.
Bug: 321139675
Test: manual
Change-Id: I6e8d3fe805d28ce8ffaf8768d4aa9428edaf81a3
diff --git a/private/artd.te b/private/artd.te
index bc4a7a2..15d7969 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -40,6 +40,8 @@
allow artd mnt_expand_file:dir { getattr search };
allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
allow artd apk_data_file:file r_file_perms;
+allow artd apk_tmp_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_tmp_file:file r_file_perms;
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
diff --git a/private/profman.te b/private/profman.te
index 7071334..d1ce926 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -6,6 +6,7 @@
allow profman {
system_file
apk_data_file
+ apk_tmp_file
vendor_app_file
}:file { getattr read map lock };
@@ -23,6 +24,7 @@
allow profman asec_apk_file:file { read map };
allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };
+allow profman apk_tmp_file:dir { getattr read search };
allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.