Revert "Remove execmod support for newer API versions"
We need more time to investigate the effect that this change will
have on DRM solutions. Until the investigation is done, revert.
This reverts commit 38d3eca0d40811fed4b01947bc4b65dd0a375ce1.
Bug: 30146890
Bug: 20013628
Bug: 35323421
Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16
Test: policy compiles.
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index bb95b1f..e576d27 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -42,6 +42,3 @@
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-
-# Legacy text relocations
-allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 7d4737d..6534412 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -17,15 +17,18 @@
### seapp_contexts.
###
+# Legacy text relocations
+allow untrusted_app_all apk_data_file:file execmod;
+
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file rx_file_perms;
+allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
allow untrusted_app_all asec_apk_file:dir r_dir_perms;
# Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file execute;
+allow untrusted_app_all asec_public_file:file { execute execmod };
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".