commit 38d3eca0d40811fed4b01947bc4b65dd0a375ce1
author Nick Kralevich <nnk@google.com> Sat Mar 04 23:05:17 2017 -0800
committer Nick Kralevich <nnk@google.com> Sun Mar 05 07:17:03 2017 +0000
tree 815db40234288136d3cded99b357e7ebaff36b37
parent b4f354fdd25a1fa9fc94ed7749588631f74e3dc1

Remove execmod support for newer API versions

Drop support for execmod (aka text relocations) for newer API versions.
Retain it for older app APIs versions.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Test: policy compiles.
Change-Id: Ie54fdb385e9c4bb997ad6fcb6cff74f7e32927bb

private/untrusted_app_all.te

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6534412..7d4737d 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -17,18 +17,15 @@
 ### seapp_contexts.
 ###
 
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
-
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
+allow untrusted_app_all app_data_file:file rx_file_perms;
 
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
+allow untrusted_app_all asec_public_file:file execute;
 
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".