In response to bug #1228254, u-d-m now throws a dbus error if it's asked in unconfined mode for a file that already exists. This combines with system-image behavior to make it impossible to recover from a failed download without rebooting the device. I think system-image needs to check for already-downloaded files on the system in the expected path, and either remove them unconditionally for redownload, or spot-verify their sums and omit any correctly-downloaded files from the request to u-d-m.
Relatedly, system-image needs to stop using a well-known path under /tmp for these files. This needs to move to a root-only directory instead. (While s-i could use proper tmpdir handling to create a private directory under /tmp without risking a DoS or symlink attack, this would have undesirable semantics wrt retries, because subsequent s-i processes would necessarily be asking u-d-m to download files to different directories each time.) From an FHS standpoint, I think the correct location for these downloads is /var/cache/system-image. That would need to be coordinated with lxc-android-config to get this directory made writable. Alternatively, the files should just be downloaded directly to /android/cache/recovery (under an appropriate tmp/"in-progress" directory name), which would save having to do a cross-filesystem copy after download.
I just reported bug #1234703, which is about "checking for new updates makes the update panel non functional until reboot", it seems somewhat similar but I'm not sure if that's a duplicate