neverallow issue on *_tmpfs:file execute

[Mohammed Shakir]

I have a native service which internally needs to contact with Java layer. So I am using android_runtime.so library to create a JavaVm and call startVm.

In permissive mode, what I am intended to is working fine. But in enforced mode, I need to add following rule to make it work and that rule is a neverallow (line 445 <AOSP_9.0>/system/sepolicy/public/domain.te).

allow mynativeservice mynativeservice_tmpfs:file execute

The description of this neverallow in domain.te (Android 9.0) is,

“Assert that, to the extent possible, we’re not loading executable content fromoutside the rootfs or /system partition except for a few whitelisted domains.”

Following are whitelisted,

    -appdomain
    -dumpstate
    -shell
    -webview_zygote
    -zygote

My questions are,

1. Are we allowed to use android_runtime ?

2. If yes, how to start javaVm without giving above never allow ?