From 13ee65392ed620d04fd6ab71725da6d9b4dd1cc4 Mon Sep 17 00:00:00 2001
From: Orion Hodson <oth@google.com>
Date: Tue, 27 Apr 2021 15:51:33 +0100
Subject: [PATCH] app.te: enable mapping ART apexdata cache executable

Some jars, such com.android.location.provider.jar, are both on the
system_server classpath and loaded as libraries. If the .oat files are
in the ART apexdata cache (due to being system_server classpath), they
need to be execute permission to be usable as AOT compiled libraries.

Bug: 184881321
Test: install an updated ART apex, open apps, see no more denials
Change-Id: I89b74dfa047699c568575d99a29c5e74abdef076
---
 private/app.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/private/app.te b/private/app.te
index 126f11fff..94d24e040 100644
--- a/private/app.te
+++ b/private/app.te
@@ -72,9 +72,9 @@ allow appdomain font_data_file:dir r_dir_perms;
 
 # Enter /data/misc/apexdata/
 allow appdomain apex_module_data_file:dir search;
-# Read /data/misc/apexdata/com.android.art
+# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
 allow appdomain apex_art_data_file:dir r_dir_perms;
-allow appdomain apex_art_data_file:file r_file_perms;
+allow appdomain apex_art_data_file:file rx_file_perms;
 
 # Allow access to tombstones if an fd to one is given to you.
 # This is restricted by unix permissions, so an app must go through system_server to get one.