installd: explicitly specify capabilities
If a service doesn't specify any capabilities in it's definition in the
.rc file, then it will inherit all the capabilities from the init.
Although whether a process can use capabilities is actually controlled
by selinux (so inheriting all the init capabilities is not actually a
security vulnerability), it's better for defense-in-depth and just
bookkeeping to explicitly specify the capabilities that installd needs.
The list of capabilities that installd is allowed to use was obtained via:
```
$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy
$ sesearch --allow -s installd -c capability,capability2 /tmp/selinux.policy
allow installd installd:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_admin };
```
Note: installd can transfer in several other domains, but all of them
either don't need any capabilities, or need a subset of installd
capabilities:
```
sesearch --allow -s dex2oat -c capability,capability2 /tmp/selinux.policy
sesearch --allow -s dexoptanalyzer -c capability,capability2 /tmp/selinux.policy
sesearch --allow -s viewcompiler -c capability,capability2 /tmp/selinux.policy
sesearch --allow -s profman -c capability,capability2 /tmp/selinux.policy
sesearch --allow -s idmap -c capability,capability2 /tmp/selinux.policy
sesearch --allow -s migrate_legacy_obb_data -c capability,capability2 /tmp/selinux.policy
allow migrate_legacy_obb_data migrate_legacy_obb_data:capability { chown dac_override dac_read_search fowner fsetid };
```
Bug: 249796710
Test: presubmit
Change-Id: I98d54ab08707e406b54968974ba8ea457499fcde
Loading
Please register or sign in to comment