From 38d3eca0d40811fed4b01947bc4b65dd0a375ce1 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 4 Mar 2017 23:05:17 -0800
Subject: [PATCH] Remove execmod support for newer API versions

Drop support for execmod (aka text relocations) for newer API versions.
Retain it for older app APIs versions.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Test: policy compiles.
Change-Id: Ie54fdb385e9c4bb997ad6fcb6cff74f7e32927bb
---
 private/untrusted_app_25.te  | 3 +++
 private/untrusted_app_all.te | 7 ++-----
 public/domain.te             | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index e576d27dc..bb95b1fb8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -42,3 +42,6 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
 allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# Legacy text relocations
+allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 653441271..7d4737dee 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -17,18 +17,15 @@
 ### seapp_contexts.
 ###
 
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
-
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
+allow untrusted_app_all app_data_file:file rx_file_perms;
 
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
+allow untrusted_app_all asec_public_file:file execute;
 
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
diff --git a/public/domain.te b/public/domain.te
index b8004ac94..9ee41ab50 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -499,7 +499,7 @@ neverallow * self:process { execstack execheap };
 
 # prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_all } file_type:file execmod;
+neverallow { domain -untrusted_app_25 } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
 
-- 
GitLab