From 361cdaff3096fafc16bbe88b84d6f99f7944def7 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 29 Jan 2015 16:49:52 -0800
Subject: [PATCH] system_server: neverallow dex2oat exec

system_server should never be executing dex2oat. This is either
a bug (for example, bug 16317188), or represents an attempt by
system server to dynamically load a dex file, something we don't
want to allow.

This change adds a compile time assertion which will detect
if an allow rule granting this access is ever added.
No new rules are added or deleted as a result of this change.
This neverallow rule is automatically enforced via CTS.

Bug: 16317188
Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c
---
 system_server.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/system_server.te b/system_server.te
index aaa0657a3..bfe5b89b0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -485,3 +485,9 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;
-- 
GitLab