Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004

commit: caf42d615dc9488d8e3601d3277167d61475a61a [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Oct 04 10:57:29 2018 -0700
committer: Nick Kralevich <nnk@google.com> Wed Oct 31 12:32:01 2018 +0000
tree: 868240a371ccb5ed97253b7e5ba601c71c27e736
parent: 29db0ebf3d052e16c379e7a8e6f4057dc399fdc4 [diff] [blame]
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 418150e..d0cf2a5 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -98,7 +98,8 @@
 # Ephemeral Apps must run in the ephemeral_app domain
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 
-isSystemServer=true domain=system_server
+isSystemServer=true domain=system_server_startup
+
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
commit	caf42d615dc9488d8e3601d3277167d61475a61a	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Oct 04 10:57:29 2018 -0700
committer	Nick Kralevich <nnk@google.com>	Wed Oct 31 12:32:01 2018 +0000
tree	868240a371ccb5ed97253b7e5ba601c71c27e736
parent	29db0ebf3d052e16c379e7a8e6f4057dc399fdc4 [diff] [blame]