Merge commit '060f6fa6' into HEAD

installd.te

@@ -16,7 +16,8 @@ allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd download_file:dir { read getattr };
+allow installd download_file:dir { r_dir_perms };
+allow installd download_file:file { r_file_perms };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)

netd.te

@@ -3,7 +3,7 @@ type netd, domain;
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:capability { net_admin net_raw kill fsetid };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;

vold.te

@@ -27,7 +27,7 @@ allow vold dm_device:chr_file rw_file_perms;
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
 allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace };
+allow vold self:capability { sys_ptrace kill };
 
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
@@ -57,6 +57,7 @@ allow vold kernel:process setsched;
 # Property Service
 allow vold vold_prop:property_service set;
 allow vold powerctl_prop:property_service set;
+allow vold ctl_default_prop:property_service set;
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;

zygote.te

@@ -44,3 +44,10 @@ allow zygote labeledfs:filesystem remount;
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file { execute_no_trans open };
+
+# handle bugreports b/10498304
+allow zygote ashmem_device:chr_file execute;
+allow zygote init:binder call;
+allow zygote shell_data_file:file { write getattr };
+allow zygote system_server:binder { transfer call };
+allow zygote servicemanager:binder { call };