Update text relocation neverallow assertions

1) Don't allow any SELinux domain to attempt to perform a text
relocation on a file from the /system partition. It's not supported
and should never be attempted.

2) Completely block any non-app SELinux domains from using text
relocations, regardless of the source.

Bug: 20013628
Change-Id: I82573398d0d5586264a717a1e400a3dbc7793fe3
diff --git a/domain.te b/domain.te
index f5078c0..ee606a4 100644
--- a/domain.te
+++ b/domain.te
@@ -417,7 +417,6 @@
 # which, long term, need to go away.
 neverallow domain {
   file_type
-  -system_file      # needs to die. b/20013628
   -system_data_file
   -apk_data_file
   -app_data_file
@@ -429,9 +428,9 @@
 # required by some device-specific service domains.
 neverallow domain self:process { execstack execheap };
 
-# TODO: prohibit non-zygote spawned processes from using shared libraries
+# prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
-# neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -appdomain } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;