Allow use of art as the Android runtime.
system_server and app domains need to map dalvik-cache files with PROT_EXEC.
type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
Apps need to map cached dex files with PROT_EXEC. We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.
type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file
Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/system_server.te b/system_server.te
index 69e9cb0..4c73627 100644
--- a/system_server.te
+++ b/system_server.te
@@ -8,6 +8,9 @@
# Dalvik Compiler JIT Mapping.
allow system_server self:process execmem;
+# For art.
+allow system_server dalvikcache_data_file:file execute;
+
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;