Backport part of d615ef34 to klp-dev

Part of d615ef34 hasn't been backported to klp-dev yet. Do it now. Change-Id: Ib4f26c64d376e236fa3f76166f5d78a9f28b79a3

Backport part of d615ef34 to klp-dev
9565c5ce · Nick Kralevich · 839af9ed · 9565c5ce · 9565c5ce
Commit 9565c5ce authored 11 years ago by Nick Kralevich
--- a/installd.te
+++ b/installd.te
@@ -16,6 +16,7 @@ allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd download_file:dir { read getattr };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)

--- a/zygote.te
+++ b/zygote.te
@@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
 init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid };
+allow zygote self:capability { dac_override setgid setuid fowner };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.