361cdaff3096fafc16bbe88b84d6f99f7944def7 - android_system_sepolicy

commit	361cdaff3096fafc16bbe88b84d6f99f7944def7	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Jan 29 16:49:52 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Thu Jan 29 16:57:15 2015 -0800
tree	4434474419b66e16654c5e17e891b81483840462
parent	db1320f550723616165d67faffd6197b8415dbf8 [diff]

system_server: neverallow dex2oat exec

system_server should never be executing dex2oat. This is either
a bug (for example, bug 16317188), or represents an attempt by
system server to dynamically load a dex file, something we don't
want to allow.

This change adds a compile time assertion which will detect
if an allow rule granting this access is ever added.
No new rules are added or deleted as a result of this change.
This neverallow rule is automatically enforced via CTS.

Bug: 16317188
Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c

system_server.te[diff]

1 file changed

tree: 4434474419b66e16654c5e17e891b81483840462

tools/
access_vectors
adbd.te
Android.mk
app.te
attributes
binderservicedomain.te
bluetooth.te
bootanim.te
clatd.te
debuggerd.te
device.te
dex2oat.te
dhcp.te
dnsmasq.te
domain.te
drmserver.te
dumpstate.te
file.te
file_contexts
fs_use
fsck.te
genfs_contexts
global_macros
gpsd.te
hci_attach.te
healthd.te
hostapd.te
init.te
initial_sid_contexts
initial_sids
inputflinger.te
install_recovery.te
installd.te
isolated_app.te
kernel.te
keys.conf
keystore.te
lmkd.te
logd.te
mac_permissions.xml
mdnsd.te
mediaserver.te
mls
mls_macros
mtp.te
net.te
netd.te
neverallow_macros
nfc.te
NOTICE
platform_app.te
policy_capabilities
port_contexts
ppp.te
property.te
property_contexts
racoon.te
radio.te
README
recovery.te
rild.te
roles
runas.te
sdcardd.te
seapp_contexts
security_classes
service.te
service_contexts
servicemanager.te
shared_relro.te
shell.te
su.te
surfaceflinger.te
system_app.te
system_server.te
te_macros
tee.te
toolbox.te
ueventd.te
unconfined.te
uncrypt.te
untrusted_app.te
users
vdc.te
vold.te
watchdogd.te
wpa.te
zygote.te