From dc083f596d0dc84f1af0b7656dab982a7ffb13e4 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 3 Sep 2016 02:32:05 -0400
Subject: [PATCH] only permit text relocations in untrusted_app

The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.

It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).

Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
---
 public/app.te           | 2 +-
 public/domain.te        | 2 +-
 public/untrusted_app.te | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/public/app.te b/public/app.te
index 7f51574b3..14e3011a1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -215,7 +215,7 @@ allow appdomain shared_relro_file:file r_file_perms;
 
 # Allow apps to read/execute installed binaries
 allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file { rx_file_perms execmod };
+allow appdomain apk_data_file:file rx_file_perms;
 
 # /data/resource-cache
 allow appdomain resourcecache_data_file:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 56424e928..66b1d8a54 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -483,7 +483,7 @@ neverallow * self:process { execstack execheap };
 
 # prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
-neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -untrusted_app } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
 
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index b968728b2..9f62b77e9 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -25,6 +25,9 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# Legacy text relocations
+allow untrusted_app apk_data_file:file execmod;
+
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow untrusted_app app_data_file:file { rx_file_perms execmod };
-- 
GitLab