From 527316a21b80c2a70d8ed23351299a4dce0c77bf Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 23 Dec 2013 14:48:02 -0500
Subject: [PATCH] Allow use of art as the Android runtime.

system_server and app domains need to map dalvik-cache files with PROT_EXEC.

type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Apps need to map cached dex files with PROT_EXEC.  We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.

type=1400 audit(1387810571.697:14): avc:  denied  { execute } for  pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file

Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te           | 3 +++
 platform_app.te  | 1 +
 system_server.te | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/app.te b/app.te
index eb9179369..f53f633c4 100644
--- a/app.te
+++ b/app.te
@@ -152,6 +152,9 @@ allow appdomain self:rawip_socket create_socket_perms;
 allow appdomain usb_device:chr_file { read write getattr ioctl };
 allow appdomain usbaccessory_device:chr_file { read write getattr };
 
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+
 ###
 ### CTS-specific rules
 ###
diff --git a/platform_app.te b/platform_app.te
index 5a0167e10..40f2dd333 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -36,6 +36,7 @@ allow platform_app appdomain:fifo_file write;
 # App sandbox file accesses.
 allow platformappdomain platform_app_data_file:dir create_dir_perms;
 allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;
diff --git a/system_server.te b/system_server.te
index 69e9cb082..4c73627ee 100644
--- a/system_server.te
+++ b/system_server.te
@@ -8,6 +8,9 @@ permissive system_server;
 # Dalvik Compiler JIT Mapping.
 allow system_server self:process execmem;
 
+# For art.
+allow system_server dalvikcache_data_file:file execute;
+
 # Child of the zygote.
 allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;
-- 
GitLab