system_server: drop dalvikcache_data_file execute.

With build/core eaa9d88cf, system_server should not be loading code from /data. https://bugs.chromium.org/p/project-zero/issues/detail?id=955 Bug: 37214733 Bug: 31780877 Test: Device boots and no obvious problems. Test: No collected SELinux denials for build-server generated builds. Change-Id: I37b1e9e6c4555c937730ab491b6c38801b38ad38

system_server: drop dalvikcache_data_file execute.
With build/core eaa9d88cf, system_server should not be loading code from /data. https://bugs.chromium.org/p/project-zero/issues/detail?id=955 Bug: 37214733 Bug: 31780877 Test: Device boots and no obvious problems. Test: No collected SELinux denials for build-server generated builds. Change-Id: I37b1e9e6c4555c937730ab491b6c38801b38ad38
aa365288 · Nick Kralevich · 2bbc9c9f · aa365288 · aa365288
Commit aa365288 authored 7 years ago by Nick Kralevich
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -17,11 +17,8 @@ allow system_server zygote_tmpfs:file read;

 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file { r_file_perms execute };
-userdebug_or_eng(`
-  # Report dalvikcache_data_file:file execute violations.
-  auditallow system_server dalvikcache_data_file:file execute;
-')
+allow system_server dalvikcache_data_file:file r_file_perms;
+
 # When running system server under --invoke-with, we'll try to load the boot image under the
 # system server domain, following links to the system partition.
 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')

--- a/public/domain.te
+++ b/public/domain.te
@@ -355,7 +355,6 @@ neverallow {
    -dumpstate
    -shell
    userdebug_or_eng(`-su')
-    -system_server
    -webview_zygote
    -zygote
 } {