From 01898ea4aa2dbd676c2c20a796251285a1671a96 Mon Sep 17 00:00:00 2001
From: Narayan Kamath <narayan@google.com>
Date: Thu, 4 Jun 2015 13:52:44 +0100
Subject: [PATCH] Revert "Allow system_server to link,relabel and create_dir
 dalvikcache_data_file."

This reverts commit e929ad8b524a7e444008b657adaafff97b5dea79.

bug: 20889739
Change-Id: I6729f4e26041b481f2442a2d8c3dfb42e2d4144a
---
 domain.te        |  4 ----
 system_server.te | 19 -------------------
 2 files changed, 23 deletions(-)

diff --git a/domain.te b/domain.te
index 19de0c0af..fc4cfd85a 100644
--- a/domain.te
+++ b/domain.te
@@ -350,10 +350,6 @@ neverallow {
   -zygote
   -installd
   -dex2oat
-  -system_server # TODO: The system server needs to create directories
-                 # and link files for split APK installs. This could perhaps be
-                 # removed if we made installd responsible for manipulating the
-                 # staging directory.
 } dalvikcache_data_file:file no_w_file_perms;
 
 # Only system_server should be able to send commands via the zygote socket
diff --git a/system_server.te b/system_server.te
index 5d1398ab1..0b18eb4b6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -16,25 +16,6 @@ allow system_server system_server_tmpfs:file execute;
 allow system_server dalvikcache_data_file:file execute;
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 
-# For PackageInstallerSession.
-#
-# All of these rules relate to the installation and compilation of split
-# APKs. Roughly, the process is as follows. The rules below only pertain
-# to step (3) of the process
-#
-# (1) Create a staging directory.
-# (2) Link existing APKs from the split
-#
-# (3) Link existing compiled oat files : This requires "create_dir_perms"
-# to create oat directories (foo/oat and foo/oat/x86), "relabelto" to
-# make sure they have the right label, and "link" to link files.
-#
-# (3) Invoke dex2oat to compile the updated / new split
-# (4) Rename the staging directory back to the final path.
-allow system_server dalvikcache_data_file:file link;
-allow system_server dalvikcache_data_file:dir relabelto;
-allow system_server dalvikcache_data_file:dir create_dir_perms;
-
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
 allow system_server resourcecache_data_file:dir r_dir_perms;
-- 
GitLab