Something went wrong on our end
-
Stephen Smalley authoredRun idmap in its own domain rather than leaving it in installd's domain. This prevents misuse of installd's permissions by idmap. zygote also needs to run idmap. For now, just run it in zygote's domain as it was previously since that is what is done for dex2oat invocation by zygote. zygote appears to run idmap with system uid while installd runs it with app UIDs, so using different domains seems appropriate. Remove system_file execute_no_trans from both installd and zygote; this should no longer be needed with explicit labels for dex2oat and idmap. Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>Stephen Smalley authoredRun idmap in its own domain rather than leaving it in installd's domain. This prevents misuse of installd's permissions by idmap. zygote also needs to run idmap. For now, just run it in zygote's domain as it was previously since that is what is done for dex2oat invocation by zygote. zygote appears to run idmap with system uid while installd runs it with app UIDs, so using different domains seems appropriate. Remove system_file execute_no_trans from both installd and zygote; this should no longer be needed with explicit labels for dex2oat and idmap. Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>