document the non-ART-related reasons for execmem
Change-Id: I455fe33345dd1ae8dc49cb7b70cbf1e7c1b3e271
diff --git a/app.te b/app.te
index 9431fd1..37ab9a3 100644
--- a/app.te
+++ b/app.te
@@ -7,8 +7,9 @@
### zygote spawned apps should be added here.
###
-# Dalvik Compiler JIT Mapping.
+# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
+
allow appdomain ashmem_device:chr_file execute;
# Receive and use open file descriptors inherited from zygote.
diff --git a/mediaserver.te b/mediaserver.te
index f38a3ec..65438ba 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -14,7 +14,9 @@
binder_call(mediaserver, appdomain)
binder_service(mediaserver)
+# Required by Widevine DRM (b/22990512)
allow mediaserver self:process execmem;
+
allow mediaserver kernel:system module_request;
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;