From 0f11ffccf907b000213d76eccb22a84ac73c19e5 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Thu, 2 Aug 2018 11:53:40 +0100
Subject: [PATCH] Remove legacy execmod access.

Remove the exemptions for untrusted apps and broaden the neverallow so
they can't be reinstated. Modifying executable pages is unsafe. Text
relocations are not supported.

Bug: 111544476
Test: Builds.
Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7
---
 private/untrusted_app_all.te | 11 ++---------
 public/domain.te             | 18 +++---------------
 2 files changed, 5 insertions(+), 24 deletions(-)

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6e09c8cc6..07d9d4d19 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -21,18 +21,15 @@
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
 ### added to untrusted_v2_app.te and ephemeral_app.te.
 
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
-
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
+allow untrusted_app_all app_data_file:file { rx_file_perms };
 
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
+allow untrusted_app_all asec_public_file:file { execute };
 
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
@@ -151,10 +148,6 @@ userdebug_or_eng(`
   }:{ dir file lnk_file } { getattr open read };
 ')
 
-# Temporary auditing to get data on what apps use execmod.
-# TODO(b/111544476) Remove this and deny the permission if feasible.
-auditallow untrusted_app_all { apk_data_file app_data_file asec_public_file }:file execmod;
-
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this
diff --git a/public/domain.te b/public/domain.te
index 5dcfdf871..6c0a92a4a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1113,26 +1113,14 @@ neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mou
 # su itself execute su.
 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
 
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
-  file_type
-  -apk_data_file
-  -app_data_file
-  -asec_public_file
-}:file execmod;
-
 # Do not allow making the stack or heap executable.
 # We would also like to minimize execmem but it seems to be
 # required by some device-specific service domains.
 neverallow * self:process { execstack execheap };
 
-# prohibit non-zygote spawned processes from using shared libraries
-# with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_all } file_type:file execmod;
+# Do not allow the introduction of execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+neverallow * file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
 
-- 
GitLab