From aa365288ef720b46242025a29544ac5d5040f907 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 3 May 2017 14:01:58 -0700
Subject: [PATCH] system_server: drop dalvikcache_data_file execute.

With build/core eaa9d88cf, system_server should not be loading code
from /data.

https://bugs.chromium.org/p/project-zero/issues/detail?id=955

Bug: 37214733
Bug: 31780877
Test: Device boots and no obvious problems.
Test: No collected SELinux denials for build-server generated builds.
Change-Id: I37b1e9e6c4555c937730ab491b6c38801b38ad38
---
 private/system_server.te | 7 ++-----
 public/domain.te         | 1 -
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index 208eb73e6..d213f97ef 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -17,11 +17,8 @@ allow system_server zygote_tmpfs:file read;
 
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file { r_file_perms execute };
-userdebug_or_eng(`
-  # Report dalvikcache_data_file:file execute violations.
-  auditallow system_server dalvikcache_data_file:file execute;
-')
+allow system_server dalvikcache_data_file:file r_file_perms;
+
 # When running system server under --invoke-with, we'll try to load the boot image under the
 # system server domain, following links to the system partition.
 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
diff --git a/public/domain.te b/public/domain.te
index c528871bd..794fd454b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -355,7 +355,6 @@ neverallow {
     -dumpstate
     -shell
     userdebug_or_eng(`-su')
-    -system_server
     -webview_zygote
     -zygote
 } {
-- 
GitLab