Stephen Smalley  committed 527316a

Allow use of art as the Android runtime.

system_server and app domains need to map dalvik-cache files with PROT_EXEC.

type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Apps need to map cached dex files with PROT_EXEC. We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.

type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="" path="/data/data/" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file

Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <>

  • Participants
  • Parent commits 588bb5c

Comments (0)

Files changed (3)

 allow appdomain usb_device:chr_file { read write getattr ioctl };
 allow appdomain usbaccessory_device:chr_file { read write getattr };
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
 ### CTS-specific rules

File platform_app.te

 # App sandbox file accesses.
 allow platformappdomain platform_app_data_file:dir create_dir_perms;
 allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;

File system_server.te

 # Dalvik Compiler JIT Mapping.
 allow system_server self:process execmem;
+# For art.
+allow system_server dalvikcache_data_file:file execute;
 # Child of the zygote.
 allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;