remove app_data_file execute
Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.
Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6ebbd43..10b0b3b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -47,7 +47,7 @@
neverallow all_untrusted_apps rs_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
-# Block calling execve() on files in an apps home directory.
+# Block calling execve() in app /data/data files.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
@@ -58,6 +58,17 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
+# Block calling dlopen() in app /data/data files.
+# This is a W^X violation (loading executable code from a writable
+# home directory). For compatibility, allow for targetApi <= 28.
+# b/112357170
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -runas_app
+} app_data_file:file execute;
+
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.