From eef72d34b4e68470ef65b5307a3a657985dd6b12 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 6 Sep 2018 12:46:18 -0700
Subject: [PATCH] dumpstate: remove JIT and /data execute

Not needed for modern Android versions. These rules are really, really
old.

Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f
---
 private/dumpstate.te | 3 ---
 public/domain.te     | 1 -
 public/dumpstate.te  | 7 -------
 3 files changed, 11 deletions(-)

diff --git a/private/dumpstate.te b/private/dumpstate.te
index 2c2a62f53..b3db3d423 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -8,9 +8,6 @@ domain_auto_trans(dumpstate, vdc_exec, vdc)
 # Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
 allow dumpstate system_file:file lock;
 
-# TODO: deal with tmpfs_domain pub/priv split properly
-allow dumpstate dumpstate_tmpfs:file execute;
-
 # systrace support - allow atrace to run
 allow dumpstate debugfs_tracing:dir r_dir_perms;
 allow dumpstate debugfs_tracing:file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index a865bd8c8..deccae324 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -428,7 +428,6 @@ neverallow {
     domain
     -appdomain
     with_asan(`-asan_extract')
-    -dumpstate
     -shell
     userdebug_or_eng(`-su')
     -webview_zygote
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9187f335e..3b246c190 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -137,13 +137,6 @@ allow dumpstate shell_exec:file rx_file_perms;
 # For running am and similar framework commands.
 # Run /system/bin/app_process.
 allow dumpstate zygote_exec:file rx_file_perms;
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:dir { search getattr };
-allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
-allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
 
 # For Bluetooth
 allow dumpstate bluetooth_data_file:dir search;
-- 
GitLab