neverallow write access to /data/dalvik-cache directories.

Prohibit all but a specific set of whitelisted domains
from writing to /data/dalvik-cache.  This is to prevent
code injection into apps, zygote, or system_server.

Inspired by:
https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/
which depended on system UID apps having write access to
/data/dalvik-cache (not allowed in AOSP policy but evidently
in those device policies).  Prevent this from recurring.

Change-Id: I282c7bf998421d794883e432b091ad1dcf9da67e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
1 file changed