From 9644df47a38dc1f256cdd8e9095604ffeee50f8e Mon Sep 17 00:00:00 2001
From: Chris Morin <cmtm@google.com>
Date: Mon, 5 Feb 2018 14:26:04 -0800
Subject: [PATCH] prevent benign dex2oat selinux denial temporarily

Since we now call patchoat --verify in zygote art loading code, we have
the unintended effect of webview zygote calling patchoat --verify. This
is undesireable since webview zygote doesn't need to verify the .art
files after the app_process zygote has already done so. The exec of
patchoat fails for webview zygote, and this change hides that. This
change should be reverted when b/72957399 is resolved.

Bug: 66697305
Test: Ensure no new selinux denials were introduced.
Change-Id: I4152edc920e5c436516b958b8c861dcc1c4751d8
---
 private/webview_zygote.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 78fa5f0e1..9a3a7a35d 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -47,6 +47,10 @@ allow webview_zygote isolated_app:process setpgid;
 # Suppress denials to storage. Webview zygote should not be accessing.
 dontaudit webview_zygote mnt_expand_file:dir getattr;
 
+# TODO (b/72957399) remove this when webview_zygote is reparented to
+# app_process zygote
+dontaudit webview_zygote dex2oat_exec:file execute;
+
 # Get seapp_contexts
 allow webview_zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
-- 
GitLab