Remove legacy execmod access from API >= 26.

Text relocation support was removed from the linker for apps targeting API >= 23. See https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 However, the security policy was not updated to remove the execmod permission at that time, since we didn't have support for targeting SELinux policies to API versions. Remove execmod permissions for apps targeting API 26 or greater. The linker support was removed, so it's pointless to keep around the SELinux permissions. Retain execmod support for apps targeting API 25 or lower. While in theory we could remove support for API 23-25, that would involve the introduction of a new SELinux domain (and the associated rule explosion), which I would prefer to avoid. This change helps protect application executable code from modification, enforcing W^X properties on executable code pages loaded from files. https://en.wikipedia.org/wiki/W%5EX Test: auditallow rules were added and nothing triggered for apps targeting API >= 26. Code compiles and device boots. Bug: 111544476 Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41

Remove legacy execmod access from API >= 26.
Text relocation support was removed from the linker for apps targeting API >= 23. See https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 However, the security policy was not updated to remove the execmod permission at that time, since we didn't have support for targeting SELinux policies to API versions. Remove execmod permissions for apps targeting API 26 or greater. The linker support was removed, so it's pointless to keep around the SELinux permissions. Retain execmod support for apps targeting API 25 or lower. While in theory we could remove support for API 23-25, that would involve the introduction of a new SELinux domain (and the associated rule explosion), which I would prefer to avoid. This change helps protect application executable code from modification, enforcing W^X properties on executable code pages loaded from files. https://en.wikipedia.org/wiki/W%5EX Test: auditallow rules were added and nothing triggered for apps targeting API >= 26. Code compiles and device boots. Bug: 111544476 Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41
f3eb9854 · Nick Kralevich · dd253e90 · f3eb9854 · f3eb9854 · f3eb9854
Commit f3eb9854 authored 6 years ago by Nick Kralevich
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -46,3 +46,7 @@ allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
 allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
 r_dir_file(untrusted_app_25, proc_qtaguid_stat)
 allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
+# Text relocation support for API < 23
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -20,13 +20,9 @@
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
 ### added to ephemeral_app.te.
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
-allow untrusted_app_all app_data_file:file execmod;
 # Executing files from an application home directory violates
 # W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
@@ -38,7 +34,7 @@ auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
+allow untrusted_app_all asec_public_file:file { execute };
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
@@ -157,10 +153,6 @@ userdebug_or_eng(`
  }:{ dir file lnk_file } { getattr open read };
 ')
-# Temporary auditing to get data on what apps use execmod.
-# TODO(b/111544476) Remove this and deny the permission if feasible.
-auditallow untrusted_app_all { apk_data_file app_data_file asec_public_file }:file execmod;
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this

--- a/public/domain.te
+++ b/public/domain.te
@@ -1134,9 +1134,9 @@ neverallow * {
 # required by some device-specific service domains.
 neverallow * self:process { execstack execheap };
-# prohibit non-zygote spawned processes from using shared libraries
+# Do not allow the introduction of new execmod rules. Text relocations
-# with text relocations. b/20013628 .
+# and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_all } file_type:file execmod;
+neverallow { domain -untrusted_app_25 } file_type:file execmod;
 neverallow { domain -init } proc:{ file dir } mounton;