Fixup neverallow rule

When we removed /data/dalvik-cache execute permission for system_server (b/37214733, b/31780877), I forgot to fixup this neverallow rule. Fix rule. Test: policy compiles. Change-Id: I38b821a662e0d8304b8390a69a6d9e923211c31e

Fixup neverallow rule
When we removed /data/dalvik-cache execute permission for system_server (b/37214733, b/31780877), I forgot to fixup this neverallow rule. Fix rule. Test: policy compiles. Change-Id: I38b821a662e0d8304b8390a69a6d9e923211c31e
2ec15e5b · Nick Kralevich · 714ee5f2 · 2ec15e5b
Commit 2ec15e5b authored 7 years ago by Nick Kralevich
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -758,11 +758,8 @@ neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock
 neverallow system_server dex2oat_exec:file no_x_file_perms;

 # system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
-  data_file_type
-  -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
+# in /data
+neverallow system_server data_file_type:file no_x_file_perms;

 # The only block device system_server should be accessing is
 # the frp_block_device. This helps avoid a system_server to root