From 3bb1ccc265bbc6e865506b38ae66721ec1177b55 Mon Sep 17 00:00:00 2001
From: Geremy Condra <gcondra@google.com>
Date: Mon, 16 Sep 2013 14:53:41 -0700
Subject: [PATCH] Fix long-tail denials in enforcing domains.

The specific denials we see are:

denied  { getattr } for  pid=169 comm=""installd"" path=""/data/data/com.android.providers.downloads/cache/downloadfile.jpeg"" dev=""mmcblk0p23"" ino=602861 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file
denied  { fsetid } for  pid=598 comm=""netd"" capability=4  scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability
denied  { read } for  pid=209 comm=""installd"" name=""cache"" dev=""mmcblk0p28"" ino=81694 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir

Bug: 10786017
Change-Id: Ia5d0b6337f3de6a168ac0d5a77df2a1ac419ec29
---
 installd.te | 1 +
 netd.te     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/installd.te b/installd.te
index f8d30b779..db7653136 100644
--- a/installd.te
+++ b/installd.te
@@ -17,6 +17,7 @@ allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 allow installd download_file:dir { r_dir_perms };
+allow installd download_file:file { r_file_perms };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
diff --git a/netd.te b/netd.te
index f98be3d3c..0cd087246 100644
--- a/netd.te
+++ b/netd.te
@@ -3,7 +3,7 @@ type netd, domain;
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:capability { net_admin net_raw kill fsetid };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;
-- 
GitLab