Skip to content
Snippets Groups Projects
  • Stephen Smalley's avatar
    b335e384
    Run idmap in its own domain. · b335e384
    Stephen Smalley authored
    
    Run idmap in its own domain rather than leaving it in installd's domain.
    This prevents misuse of installd's permissions by idmap.
    
    zygote also needs to run idmap.  For now, just run it in zygote's
    domain as it was previously since that is what is done for dex2oat
    invocation by zygote.  zygote appears to run idmap with system uid
    while installd runs it with app UIDs, so using different domains
    seems appropriate.
    
    Remove system_file execute_no_trans from both installd and zygote;
    this should no longer be needed with explicit labels for dex2oat and
    idmap.
    
    Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    b335e384
    History
    Run idmap in its own domain.
    Stephen Smalley authored
    
    Run idmap in its own domain rather than leaving it in installd's domain.
    This prevents misuse of installd's permissions by idmap.
    
    zygote also needs to run idmap.  For now, just run it in zygote's
    domain as it was previously since that is what is done for dex2oat
    invocation by zygote.  zygote appears to run idmap with system uid
    while installd runs it with app UIDs, so using different domains
    seems appropriate.
    
    Remove system_file execute_no_trans from both installd and zygote;
    this should no longer be needed with explicit labels for dex2oat and
    idmap.
    
    Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>