From 2ec15e5b279f3eeda795f7edd348e5a7d7ff518e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 20 Oct 2017 13:27:26 -0700
Subject: [PATCH] Fixup neverallow rule

When we removed /data/dalvik-cache execute permission for system_server
(b/37214733, b/31780877), I forgot to fixup this neverallow rule.
Fix rule.

Test: policy compiles.
Change-Id: I38b821a662e0d8304b8390a69a6d9e923211c31e
---
 private/system_server.te | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index 44b3b0c28..351068661 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -758,11 +758,8 @@ neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock
 neverallow system_server dex2oat_exec:file no_x_file_perms;
 
 # system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
-  data_file_type
-  -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
+# in /data
+neverallow system_server data_file_type:file no_x_file_perms;
 
 # The only block device system_server should be accessing is
 # the frp_block_device. This helps avoid a system_server to root
-- 
GitLab