Allow system server to lock system files. ART generically locks profile files, and this avoids special casing the ART code for read-only partitions. An example on how ART does it: https://android-review.googlesource.com/c/platform/art/+/958222/3/runtime/jit/jit.cc#731 Bug: 119800099 Test: system server locking a system file, no denial (cherry picked from commit db3fde05b507a9c425d4a8539292a005d82a81c1) Change-Id: I5623f5d548dd1226e5788e369333922a27f14021 Merged-In: I4339f19af999d43e07995ddb77478a2384bbe209

commit: 52414b2d59024e65f22d7a4bfa7bb62d5478bbeb [log] [tgz]
author: Nicolas Geoffray <ngeoffray@google.com> Fri May 10 02:44:47 2019 +0100
committer: Nicolas Geoffray <ngeoffray@google.com> Fri May 10 17:37:14 2019 +0100
tree: 614a1866594143dd77482e7934ea30359a2f42a3
parent: 6f1800f6df4f1d08b6c137d8fc640d91dc85da31 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 0b27847..45d36dd 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -642,6 +642,9 @@
 allow system_server system_file:dir r_dir_perms;
 allow system_server system_file:lnk_file r_file_perms;
 
+# ART locks profile files.
+allow system_server system_file:file lock;
+
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
 allow system_server gps_control:file rw_file_perms;
commit	52414b2d59024e65f22d7a4bfa7bb62d5478bbeb	[log] [tgz]
author	Nicolas Geoffray <ngeoffray@google.com>	Fri May 10 02:44:47 2019 +0100
committer	Nicolas Geoffray <ngeoffray@google.com>	Fri May 10 17:37:14 2019 +0100
tree	614a1866594143dd77482e7934ea30359a2f42a3
parent	6f1800f6df4f1d08b6c137d8fc640d91dc85da31 [diff] [blame]