Remove 'dex2oat_exec' from untrusted_app Remove the permission to execute dex2oat from apps targetSdkVersion>28. This has been historically used by ART to compile secondary dex files but that functionality has been removed in Q and the permission is therefore not needed. Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for targetSdkVersion<= 28. Test: atest CtsSelinuxTargetSdk25TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CtsSelinuxTargetSdkCurrentTestCases Bug: 117606664 Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5

commit: 535c5d2be06fe9c52bf14225883dbe68055c6df3 [log] [tgz]
author: David Brazdil <dbrazdil@google.com> Mon Nov 19 23:02:49 2018 +0000
committer: David Brazdil <dbrazdil@google.com> Mon Nov 19 23:47:39 2018 +0000
tree: d6f8e8bebbe769fccf938cc8ae764d1a7943ad8f
parent: 41ddb80cd8c69cbd8730c77f5f7bf32a649199bb [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 30acf87..7936147 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -51,6 +51,15 @@
   -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;
 
+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
 # enforced via levelFrom=user in seapp_contexts and the mls
commit	535c5d2be06fe9c52bf14225883dbe68055c6df3	[log] [tgz]
author	David Brazdil <dbrazdil@google.com>	Mon Nov 19 23:02:49 2018 +0000
committer	David Brazdil <dbrazdil@google.com>	Mon Nov 19 23:47:39 2018 +0000
tree	d6f8e8bebbe769fccf938cc8ae764d1a7943ad8f
parent	41ddb80cd8c69cbd8730c77f5f7bf32a649199bb [diff] [blame]