Do not allow zygote to execve dalvikcache files. x_file_perms and friends allow execve; we only want to permit mmap/mprotect PROT_EXEC here. Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 49c995d1c805269e992d5885cceea1e4e3635115 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Thu Jan 09 09:27:15 2014 -0500
committer: Nick Kralevich <nnk@google.com> Thu Jan 09 14:05:49 2014 -0800
tree: 6a328853a41ae64ca88cbd1cb06ab47d523d01dc
parent: 39fd7818b34c5e1c7e6e27aaa064d83b24733307 [diff]
diff --git a/zygote.te b/zygote.te
index daa9782..b6a527c 100644
--- a/zygote.te
+++ b/zygote.te

@@ -21,7 +21,9 @@
 allow zygote system_data_file:dir rw_dir_perms;
 allow zygote system_data_file:file create_file_perms;
 allow zygote dalvikcache_data_file:dir rw_dir_perms;
-allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms };
+allow zygote dalvikcache_data_file:file create_file_perms;
+# For art.
+allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.
 allow zygote system_file:file x_file_perms;
 # Control cgroups.
commit	49c995d1c805269e992d5885cceea1e4e3635115	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Thu Jan 09 09:27:15 2014 -0500
committer	Nick Kralevich <nnk@google.com>	Thu Jan 09 14:05:49 2014 -0800
tree	6a328853a41ae64ca88cbd1cb06ab47d523d01dc
parent	39fd7818b34c5e1c7e6e27aaa064d83b24733307 [diff]