From 49c995d1c805269e992d5885cceea1e4e3635115 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 9 Jan 2014 09:27:15 -0500
Subject: [PATCH] Do not allow zygote to execve dalvikcache files.

x_file_perms and friends allow execve; we only want to permit
mmap/mprotect PROT_EXEC here.

Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 zygote.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/zygote.te b/zygote.te
index daa978264..b6a527c14 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,7 +21,9 @@ allow zygote appdomain:process { getpgid setpgid };
 allow zygote system_data_file:dir rw_dir_perms;
 allow zygote system_data_file:file create_file_perms;
 allow zygote dalvikcache_data_file:dir rw_dir_perms;
-allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms };
+allow zygote dalvikcache_data_file:file create_file_perms;
+# For art.
+allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.
 allow zygote system_file:file x_file_perms;
 # Control cgroups.
-- 
GitLab