From 89424bf9470931df90afa4f6d141b3696ad5a632 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 27 Oct 2015 17:15:34 -0700
Subject: [PATCH] Update text relocation neverallow assertions

1) Don't allow any SELinux domain to attempt to perform a text
relocation on a file from the /system partition. It's not supported
and should never be attempted.

2) Completely block any non-app SELinux domains from using text
relocations, regardless of the source.

Bug: 20013628
Change-Id: I82573398d0d5586264a717a1e400a3dbc7793fe3
---
 domain.te | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/domain.te b/domain.te
index f5078c0a5..ee606a4b1 100644
--- a/domain.te
+++ b/domain.te
@@ -417,7 +417,6 @@ neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_
 # which, long term, need to go away.
 neverallow domain {
   file_type
-  -system_file      # needs to die. b/20013628
   -system_data_file
   -apk_data_file
   -app_data_file
@@ -429,9 +428,9 @@ neverallow domain {
 # required by some device-specific service domains.
 neverallow domain self:process { execstack execheap };
 
-# TODO: prohibit non-zygote spawned processes from using shared libraries
+# prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
-# neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -appdomain } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
 
-- 
GitLab