Remove legacy execmod access.

Remove the exemptions for untrusted apps and broaden the neverallow so they can't be reinstated. Modifying executable pages is unsafe. Text relocations are not supported. Bug: 111544476 Test: Builds. Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7

Remove legacy execmod access.
Remove the exemptions for untrusted apps and broaden the neverallow so they can't be reinstated. Modifying executable pages is unsafe. Text relocations are not supported. Bug: 111544476 Test: Builds. Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7
0f11ffcc · Alan Stokes · 9c8d0546 · 0f11ffcc · 0f11ffcc
Commit 0f11ffcc authored 6 years ago by Alan Stokes
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -21,18 +21,15 @@
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
 ### added to untrusted_v2_app.te and ephemeral_app.te.
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
+allow untrusted_app_all app_data_file:file { rx_file_perms };
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
+allow untrusted_app_all asec_public_file:file { execute };
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
@@ -151,10 +148,6 @@ userdebug_or_eng(`
  }:{ dir file lnk_file } { getattr open read };
 ')
-# Temporary auditing to get data on what apps use execmod.
-# TODO(b/111544476) Remove this and deny the permission if feasible.
-auditallow untrusted_app_all { apk_data_file app_data_file asec_public_file }:file execmod;
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this

--- a/public/domain.te
+++ b/public/domain.te
@@ -1113,26 +1113,14 @@ neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mou
 # su itself execute su.
 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
-  file_type
-  -apk_data_file
-  -app_data_file
-  -asec_public_file
-}:file execmod;
 # Do not allow making the stack or heap executable.
 # We would also like to minimize execmem but it seems to be
 # required by some device-specific service domains.
 neverallow * self:process { execstack execheap };
-# prohibit non-zygote spawned processes from using shared libraries
+# Do not allow the introduction of execmod rules. Text relocations
-# with text relocations. b/20013628 .
+# and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_all } file_type:file execmod;
+neverallow * file_type:file execmod;
 neverallow { domain -init } proc:{ file dir } mounton;