From 9565c5cef209be6a9bc392e6a1352aaaad5bdc23 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 9 Sep 2013 20:45:04 -0700
Subject: [PATCH] Backport part of d615ef3477da23e7fca9c13b6d63915992e63d2d to
 klp-dev

Part of d615ef3477da23e7fca9c13b6d63915992e63d2d hasn't been backported
to klp-dev yet.  Do it now.

Change-Id: Ib4f26c64d376e236fa3f76166f5d78a9f28b79a3
---
 installd.te | 1 +
 zygote.te   | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/installd.te b/installd.te
index acbb9cecc..68a0d068c 100644
--- a/installd.te
+++ b/installd.te
@@ -16,6 +16,7 @@ allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd download_file:dir { read getattr };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
diff --git a/zygote.te b/zygote.te
index bf4d5ec29..29288e863 100644
--- a/zygote.te
+++ b/zygote.te
@@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
 init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid };
+allow zygote self:capability { dac_override setgid setuid fowner };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
-- 
GitLab