system_server: neverallow dex2oat exec

system_server should never be executing dex2oat. This is either a bug (for example, bug 16317188), or represents an attempt by system server to dynamically load a dex file, something we don't want to allow. This change adds a compile time assertion which will detect if an allow rule granting this access is ever added. No new rules are added or deleted as a result of this change. This neverallow rule is automatically enforced via CTS. Bug: 16317188 Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c

system_server: neverallow dex2oat exec
system_server should never be executing dex2oat. This is either a bug (for example, bug 16317188), or represents an attempt by system server to dynamically load a dex file, something we don't want to allow. This change adds a compile time assertion which will detect if an allow rule granting this access is ever added. No new rules are added or deleted as a result of this change. This neverallow rule is automatically enforced via CTS. Bug: 16317188 Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c
361cdaff · Nick Kralevich · db1320f5 · 361cdaff
Commit 361cdaff authored 10 years ago by Nick Kralevich
--- a/system_server.te
+++ b/system_server.te
@@ -485,3 +485,9 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;