From 23cde8776b94ff2228f3a8d845d41052af52319e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 22 Aug 2015 01:29:18 -0700
Subject: [PATCH] system_server: remove old dalvik JIT rules on user/userdebug
 builds

On user and userdebug builds, system_server only loads executable
content from /data/dalvik_cache and /system. JITing for system_server
is only supported on eng builds. Remove the rules for user and
userdebug builds.

Going forward, the plan of record is that system_server will never
use JIT functionality, instead using dex2oat or interpreted mode.

Inspired by https://android-review.googlesource.com/98944

Change-Id: I54515acaae4792085869b89f0d21b87c66137510
---
 system_server.te | 10 ++++++----
 te_macros        |  1 +
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/system_server.te b/system_server.te
index 269d6ee05..5f07f6513 100644
--- a/system_server.te
+++ b/system_server.te
@@ -7,10 +7,12 @@ type system_server, domain, mlstrustedsubject;
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)
 
-# Dalvik Compiler JIT Mapping.
-allow system_server self:process execmem;
-allow system_server ashmem_device:chr_file execute;
-allow system_server system_server_tmpfs:file execute;
+eng(`
+  # JIT mappings
+  allow system_server self:process execmem;
+  allow system_server ashmem_device:chr_file execute;
+  allow system_server system_server_tmpfs:file execute;
+')
 
 # For art.
 allow system_server dalvikcache_data_file:file execute;
diff --git a/te_macros b/te_macros
index 99a9411e4..e455e6316 100644
--- a/te_macros
+++ b/te_macros
@@ -311,6 +311,7 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, ))
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+define(`eng', ifelse(target_build_variant, `eng', $1))
 
 #####################################
 # write_logd(domain)