Merge "dumpstate: remove JIT and /data execute"

ac457004 · Treehugger Robot · Gerrit Code Review · 36c7f741 · eef72d34 · ac457004
Commit ac457004 authored Sep 6, 2018 by Treehugger Robot Committed by Gerrit Code Review Sep 6, 2018
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -8,9 +8,6 @@ domain_auto_trans(dumpstate, vdc_exec, vdc)
 # Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
 allow dumpstate system_file:file lock;
-# TODO: deal with tmpfs_domain pub/priv split properly
-allow dumpstate dumpstate_tmpfs:file execute;
 # systrace support - allow atrace to run
 allow dumpstate debugfs_tracing:dir r_dir_perms;
 allow dumpstate debugfs_tracing:file rw_file_perms;

--- a/public/domain.te
+++ b/public/domain.te
@@ -428,7 +428,6 @@ neverallow {
    domain
    -appdomain
    with_asan(`-asan_extract')
-    -dumpstate
    -shell
    userdebug_or_eng(`-su')
    -webview_zygote

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -137,13 +137,6 @@ allow dumpstate shell_exec:file rx_file_perms;
 # For running am and similar framework commands.
 # Run /system/bin/app_process.
 allow dumpstate zygote_exec:file rx_file_perms;
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:dir { search getattr };
-allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
-allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
 # For Bluetooth
 allow dumpstate bluetooth_data_file:dir search;