only permit text relocations in untrusted_app
The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.
It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).
Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
diff --git a/public/app.te b/public/app.te
index 7f51574..14e3011 100644
--- a/public/app.te
+++ b/public/app.te
@@ -215,7 +215,7 @@
# Allow apps to read/execute installed binaries
allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file { rx_file_perms execmod };
+allow appdomain apk_data_file:file rx_file_perms;
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 56424e9..66b1d8a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -483,7 +483,7 @@
# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
-neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -untrusted_app } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index b968728..9f62b77 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -25,6 +25,9 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+# Legacy text relocations
+allow untrusted_app apk_data_file:file execmod;
+
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app app_data_file:file { rx_file_perms execmod };