Merge "neverallow write access to /data/dalvik-cache directories."

e010f08e · Nick Kralevich · Gerrit Code Review · 8a224775 · d9bf7b3f · e010f08e
Commit e010f08e authored Jun 16, 2015 by Nick Kralevich Committed by Gerrit Code Review Jun 16, 2015
--- a/domain.te
+++ b/domain.te
@@ -354,6 +354,14 @@ neverallow {
  -dex2oat
 } dalvikcache_data_file:file no_w_file_perms;

+neverallow {
+  domain
+  -init
+  -installd
+  -dex2oat
+  -zygote
+} dalvikcache_data_file:dir no_w_dir_perms;
+
 # Only system_server should be able to send commands via the zygote socket
 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
 neverallow { domain -system_server } zygote_socket:sock_file write;