am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec

* commit '437f713936148eb0cf3eb277eab72b07a1d533ca':
  system_server: neverallow dex2oat exec

1 files changed, 6 insertions, 0 deletions

diff --git a/system_server.te b/system_server.te
index c67f2f9..51e40eb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -489,3 +489,9 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;