Update text relocation neverallow assertions
1) Don't allow any SELinux domain to attempt to perform a text
relocation on a file from the /system partition. It's not supported
and should never be attempted.
2) Completely block any non-app SELinux domains from using text
relocations, regardless of the source.
Bug: 20013628
Change-Id: I82573398d0d5586264a717a1e400a3dbc7793fe3
diff --git a/domain.te b/domain.te
index f5078c0..ee606a4 100644
--- a/domain.te
+++ b/domain.te
@@ -417,7 +417,6 @@
# which, long term, need to go away.
neverallow domain {
file_type
- -system_file # needs to die. b/20013628
-system_data_file
-apk_data_file
-app_data_file
@@ -429,9 +428,9 @@
# required by some device-specific service domains.
neverallow domain self:process { execstack execheap };
-# TODO: prohibit non-zygote spawned processes from using shared libraries
+# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
-# neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -appdomain } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;