From 65a89c1b2ba3d2e3fd67e64656ec75af29fac0cf Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 21 Dec 2018 10:03:50 -0800
Subject: [PATCH] Revert "remove app_data_file execute"

This reverts commit b362474374afc402f65695252d30a008326c0eba.

Reason for revert:

android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures.

Bug: 121333210
Bug: 112357170
Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74
Test: compiles and boots
---
 private/app_neverallows.te   | 13 +------------
 private/ephemeral_app.te     |  2 +-
 private/runas_app.te         |  7 +++----
 private/untrusted_app_25.te  |  8 ++++----
 private/untrusted_app_27.te  |  6 +++---
 private/untrusted_app_all.te |  2 +-
 6 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 10b0b3bd0..6ebbd436a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -47,7 +47,7 @@ neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
 neverallow all_untrusted_apps rs_data_file:file
   { append create link relabelfrom relabelto rename setattr write };
 
-# Block calling execve() in app /data/data files.
+# Block calling execve() on files in an apps home directory.
 # This is a W^X violation (loading executable code from a writable
 # home directory). For compatibility, allow for targetApi <= 28.
 # b/112357170
@@ -58,17 +58,6 @@ neverallow {
   -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;
 
-# Block calling dlopen() in app /data/data files.
-# This is a W^X violation (loading executable code from a writable
-# home directory). For compatibility, allow for targetApi <= 28.
-# b/112357170
-neverallow {
-  all_untrusted_apps
-  -untrusted_app_25
-  -untrusted_app_27
-  -runas_app
-} app_data_file:file execute;
-
 # Do not allow untrusted apps to invoke dex2oat. This was historically required
 # by ART for compiling secondary dex files but has been removed in Q.
 # Exempt legacy apps (targetApi<=28) for compatibility.
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 92fd32546..4935f3340 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -22,7 +22,7 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow ephemeral_app privapp_data_file:file { r_file_perms execute };
-allow ephemeral_app app_data_file:file r_file_perms;
+allow ephemeral_app app_data_file:file     { r_file_perms execute };
 
 # Allow the renderscript compiler to be run.
 domain_auto_trans(ephemeral_app, rs_exec, rs)
diff --git a/private/runas_app.te b/private/runas_app.te
index 00baa83fa..b976b9187 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -6,7 +6,6 @@ untrusted_app_domain(runas_app)
 net_domain(runas_app)
 bluetooth_domain(runas_app)
 
-# The ability to call exec() or dlopen() on app /data/data
-# files when using run-as on a debuggable app.
-# Needed by simpleperf.
-allow runas_app app_data_file:file { execute_no_trans execute };
+# The ability to call exec() on files in the apps home directories
+# when using run-as on a debuggable app. Needed by simpleperf.
+allow runas_app app_data_file:file execute_no_trans;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 8825e2e78..7c266a524 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -45,10 +45,10 @@ allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
 # https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
 allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
 
-# The ability to call exec() or dlopen() on files in the apps home
-# directories for targetApi<=25. This is also allowed for targetAPIs 26,
-# 27, and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file { execute execute_no_trans };
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
 
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index fab6acc36..b8fd22eb4 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -27,9 +27,9 @@ untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
 
-# The ability to call exec() or dlopen() on files in the apps home
-# directories for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file { execute execute_no_trans };
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
 
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2c81ebdae..aebb7118a 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -23,7 +23,7 @@
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file r_file_perms;
+allow untrusted_app_all app_data_file:file     { r_file_perms execute };
 
 # Allow loading and deleting renderscript created shared libraries
 # within an application home directory.
-- 
GitLab