From 9be90fb6e131df8d8efb88b02873af2ca1b87803 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 6 Mar 2017 02:49:50 +0000
Subject: [PATCH] Revert "Remove execmod support for newer API versions"

We need more time to investigate the effect that this change will
have on DRM solutions. Until the investigation is done, revert.

This reverts commit 38d3eca0d40811fed4b01947bc4b65dd0a375ce1.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16
Test: policy compiles.
---
 private/untrusted_app_25.te  | 3 ---
 private/untrusted_app_all.te | 7 +++++--
 public/domain.te             | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index bb95b1fb8..e576d27dc 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -42,6 +42,3 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
 allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-
-# Legacy text relocations
-allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 7d4737dee..653441271 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -17,15 +17,18 @@
 ### seapp_contexts.
 ###
 
+# Legacy text relocations
+allow untrusted_app_all apk_data_file:file execmod;
+
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file rx_file_perms;
+allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
 
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file execute;
+allow untrusted_app_all asec_public_file:file { execute execmod };
 
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
diff --git a/public/domain.te b/public/domain.te
index 9ee41ab50..b8004ac94 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -499,7 +499,7 @@ neverallow * self:process { execstack execheap };
 
 # prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_25 } file_type:file execmod;
+neverallow { domain -untrusted_app_all } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
 
-- 
GitLab