Remove 'dex2oat_exec' from untrusted_app Remove the permission to execute dex2oat from apps targetSdkVersion>28. This has been historically used by ART to compile secondary dex files but that functionality has been removed in Q and the permission is therefore not needed. Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for targetSdkVersion<= 28. Test: atest CtsSelinuxTargetSdk25TestCases Test: atest CtsSelinuxTargetSdk27TestCases Test: atest CtsSelinuxTargetSdkCurrentTestCases Bug: 117606664 Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5

commit: 535c5d2be06fe9c52bf14225883dbe68055c6df3 [log] [tgz]
author: David Brazdil <dbrazdil@google.com> Mon Nov 19 23:02:49 2018 +0000
committer: David Brazdil <dbrazdil@google.com> Mon Nov 19 23:47:39 2018 +0000
tree: d6f8e8bebbe769fccf938cc8ae764d1a7943ad8f
parent: 41ddb80cd8c69cbd8730c77f5f7bf32a649199bb [diff] [blame]
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7b9060d..c828f64 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te

@@ -30,3 +30,9 @@
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+
commit	535c5d2be06fe9c52bf14225883dbe68055c6df3	[log] [tgz]
author	David Brazdil <dbrazdil@google.com>	Mon Nov 19 23:02:49 2018 +0000
committer	David Brazdil <dbrazdil@google.com>	Mon Nov 19 23:47:39 2018 +0000
tree	d6f8e8bebbe769fccf938cc8ae764d1a7943ad8f
parent	41ddb80cd8c69cbd8730c77f5f7bf32a649199bb [diff] [blame]