Merge "Put dex2oat in it's own sandbox"

app.te

@@ -61,6 +61,9 @@ allow appdomain oemfs:file rx_file_perms;
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
 
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write };
 

dex2oat.te

@@ -0,0 +1,6 @@
+# dex2oat
+type dex2oat, domain;
+type dex2oat_exec, exec_type, file_type;
+
+allow dex2oat dalvikcache_data_file:file write;
+allow dex2oat installd:fd use;

file_contexts

@@ -160,6 +160,7 @@
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat     u:object_r:dex2oat_exec:s0
 
 #############################
 # Vendor files

installd.te

@@ -53,6 +53,12 @@ allow installd dalvikcache_profiles_data_file:file create_file_perms;
 allow installd resourcecache_data_file:dir rw_dir_perms;
 allow installd resourcecache_data_file:file create_file_perms;
 
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# dex2oat needs LD_PRELOAD, passed down from init
+# https://android-review.googlesource.com/94851
+allow installd dex2oat:process noatsecure;
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };

zygote.te

@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:file create_file_perms;
 allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.
 allow zygote system_file:file x_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote self:capability sys_admin;