Revert "Remove legacy execmod access."

This reverts commit 0f11ffcc. Reason for revert: libmono crashes Bug: 112292089 Bug: 111544476 Test: policy compiles, device boots Change-Id: I064090aa9337cf17b80cd2c9af9342df851a3b27

Revert "Remove legacy execmod access."
This reverts commit 0f11ffcc. Reason for revert: libmono crashes Bug: 112292089 Bug: 111544476 Test: policy compiles, device boots Change-Id: I064090aa9337cf17b80cd2c9af9342df851a3b27
d90d001a · Nick Kralevich · c05fa1a5 · d90d001a · d90d001a
Commit d90d001a authored 6 years ago by Nick Kralevich
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -20,9 +20,13 @@
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
 ### added to ephemeral_app.te.

+# Legacy text relocations
+allow untrusted_app_all apk_data_file:file execmod;
+
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
+allow untrusted_app_all app_data_file:file execmod;

 # Executing files from an application home directory violates
 # W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
@@ -34,7 +38,7 @@ auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute };
+allow untrusted_app_all asec_public_file:file { execute execmod };

 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
@@ -153,6 +157,10 @@ userdebug_or_eng(`
  }:{ dir file lnk_file } { getattr open read };
 ')

+# Temporary auditing to get data on what apps use execmod.
+# TODO(b/111544476) Remove this and deny the permission if feasible.
+auditallow untrusted_app_all { apk_data_file app_data_file asec_public_file }:file execmod;
+
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this

--- a/public/domain.te
+++ b/public/domain.te
@@ -1114,14 +1114,26 @@ neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mou
 # su itself execute su.
 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;

+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow * {
+  file_type
+  -apk_data_file
+  -app_data_file
+  -asec_public_file
+}:file execmod;
+
 # Do not allow making the stack or heap executable.
 # We would also like to minimize execmem but it seems to be
 # required by some device-specific service domains.
 neverallow * self:process { execstack execheap };

-# Do not allow the introduction of execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-neverallow * file_type:file execmod;
+# prohibit non-zygote spawned processes from using shared libraries
+# with text relocations. b/20013628 .
+neverallow { domain -untrusted_app_all } file_type:file execmod;

 neverallow { domain -init } proc:{ file dir } mounton;