domain: relax execmod restrictions Some devices still have pre-built binaries with text relocations on them. As a result, it's premature to assert a neverallow rule for files in /system Bug: 20013628 Change-Id: I3a1e43db5c610164749dee6882f645a0559c789b

commit: 998ce77f845cba7f14d4f54de3e87ebf9deafaed [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Apr 01 17:41:41 2015 -0700
committer: Nick Kralevich <nnk@google.com> Wed Apr 01 20:16:51 2015 -0700
tree: fb69d76f19cc1e5377fa6626e4b5edc9e56c9a73
parent: 1598b52b3aac53f63f2381ee2a4efa894b656a24 [diff]
diff --git a/domain.te b/domain.te
index 3a84659..5a3d3c9 100644
--- a/domain.te
+++ b/domain.te

@@ -390,10 +390,13 @@
 # which, long term, need to go away.
 neverallow domain {
   file_type
+  -system_file      # needs to die. b/20013628
   -system_data_file
   -apk_data_file
   -app_data_file
   -asec_public_file
 }:file execmod;
 
-neverallow { domain -appdomain } file_type:file execmod;
+# TODO: prohibit non-zygote spawned processes from using shared libraries
+# with text relocations. b/20013628 .
+# neverallow { domain -appdomain } file_type:file execmod;
commit	998ce77f845cba7f14d4f54de3e87ebf9deafaed	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Apr 01 17:41:41 2015 -0700
committer	Nick Kralevich <nnk@google.com>	Wed Apr 01 20:16:51 2015 -0700
tree	fb69d76f19cc1e5377fa6626e4b5edc9e56c9a73
parent	1598b52b3aac53f63f2381ee2a4efa894b656a24 [diff]