-
Nick Kralevich authored
Add an SELinux neverallow rule (compile time assertion) that only authorized SELinux domains are writing to files in /data/dalvik-cache. Currently, SELinux policy only allows the following SELinux domains to perform writes to files in /data/dalvik-cache * init * zygote * installd * dex2oat For zygote, installd, and dex2oat, these accesses make sense. For init, we could further restrict init to just relabelfrom on /data/dalvik-cache files, and { create, write, setattr } on /data/dalvik-cache directories. Currently init has full write access, which can be reduced over time. This change was motivated by the discussion in https://android-review.googlesource.com/127582 Remove /data/dalvik-cache access from the unconfined domain. This domain is only used by init, kernel, and fsck on user builds. The kernel and fsck domains have no need to access files in /data/dalvik-cache. Init has a need to relabel files, but that rule is already granted in i...3c77d4d1
