From 8ee37b4f1c58e1dcd00b198a9bbfeafb4221fdc9 Mon Sep 17 00:00:00 2001
From: Ed Heyl <edheyl@google.com>
Date: Mon, 14 Jul 2014 23:32:08 -0700
Subject: [PATCH] reconcile aosp (c103da877b72aae80616dbc192982aaf75dfe888)
 after branching. Please do not merge.

Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
---
 app.te        | 3 +++
 dex2oat.te    | 6 ++++++
 file_contexts | 1 +
 installd.te   | 6 ++++++
 zygote.te     | 1 +
 5 files changed, 17 insertions(+)
 create mode 100644 dex2oat.te

diff --git a/app.te b/app.te
index 2d6416f3e..8288ea054 100644
--- a/app.te
+++ b/app.te
@@ -61,6 +61,9 @@ allow appdomain oemfs:file rx_file_perms;
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
 
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write };
 
diff --git a/dex2oat.te b/dex2oat.te
new file mode 100644
index 000000000..51acc86bf
--- /dev/null
+++ b/dex2oat.te
@@ -0,0 +1,6 @@
+# dex2oat
+type dex2oat, domain;
+type dex2oat_exec, exec_type, file_type;
+
+allow dex2oat dalvikcache_data_file:file write;
+allow dex2oat installd:fd use;
diff --git a/file_contexts b/file_contexts
index 57fc1f2f9..def1e5349 100644
--- a/file_contexts
+++ b/file_contexts
@@ -160,6 +160,7 @@
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat     u:object_r:dex2oat_exec:s0
 
 #############################
 # Vendor files
diff --git a/installd.te b/installd.te
index 5faa1ec82..6257edeb6 100644
--- a/installd.te
+++ b/installd.te
@@ -53,6 +53,12 @@ allow installd dalvikcache_profiles_data_file:file create_file_perms;
 allow installd resourcecache_data_file:dir rw_dir_perms;
 allow installd resourcecache_data_file:file create_file_perms;
 
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# dex2oat needs LD_PRELOAD, passed down from init
+# https://android-review.googlesource.com/94851
+allow installd dex2oat:process noatsecure;
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/zygote.te b/zygote.te
index c2a325eec..c2a239593 100644
--- a/zygote.te
+++ b/zygote.te
@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:file create_file_perms;
 allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.
 allow zygote system_file:file x_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote self:capability sys_admin;
-- 
GitLab