am 56c91f70: am 82bdd796: system_server: (eng builds) remove JIT capabilities

* commit '56c91f70': system_server: (eng builds) remove JIT capabilities

am 56c91f70: am 82bdd796: system_server: (eng builds) remove JIT capabilities
6ea1cc2f · Nick Kralevich · Android Git Automerger · b69ebb1b · 56c91f70 · 6ea1cc2f
Commit 6ea1cc2f authored 9 years ago by Nick Kralevich Committed by Android Git Automerger 9 years ago
--- a/system_server.te
+++ b/system_server.te
@@ -7,13 +7,6 @@ type system_server, domain, mlstrustedsubject;
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)

-eng(`
-  # JIT mappings
-  allow system_server self:process execmem;
-  allow system_server ashmem_device:chr_file execute;
-  allow system_server system_server_tmpfs:file execute;
-')
-
 # For art.
 allow system_server dalvikcache_data_file:file execute;
 allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -475,3 +468,8 @@ neverallow system_server {
 # the frp_block_device. This helps avoid a system_server to root
 # escalation by writing to raw block devices.
 neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
+
+# system_server should never use JIT functionality
+neverallow system_server self:process execmem;
+neverallow system_server ashmem_device:chr_file execute;
+neverallow system_server system_server_tmpfs:file execute;