From 665128fac38368caf9beaeec8f093bfb0391009f Mon Sep 17 00:00:00 2001
From: Jorge Lucangeli Obes <jorgelo@google.com>
Date: Tue, 11 Apr 2017 10:34:23 -0400
Subject: [PATCH] system_server: Report dalvikcache_data_file execute
 violations.

With build/core eaa9d88cf, system_server should not be loading code
from /data. Add an auditallow rule to report violations.

Bug: 37214733
Test: Boot marlin, no SELinux audit lines for system_server.
Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521
---
 private/system_server.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/private/system_server.te b/private/system_server.te
index 8f85a4892..549ace6ec 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -18,6 +18,10 @@ allow system_server zygote_tmpfs:file read;
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 allow system_server dalvikcache_data_file:file { r_file_perms execute };
+userdebug_or_eng(`
+  # Report dalvikcache_data_file:file execute violations.
+  auditallow system_server dalvikcache_data_file:file execute;
+')
 
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
-- 
GitLab