Remove legacy execmod access from API >= 26.
Text relocation support was removed from the linker for apps targeting
API >= 23. See
https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
However, the security policy was not updated to remove the execmod
permission at that time, since we didn't have support for targeting
SELinux policies to API versions.
Remove execmod permissions for apps targeting API 26 or greater. The
linker support was removed, so it's pointless to keep around the SELinux
permissions.
Retain execmod support for apps targeting API 25 or lower. While in
theory we could remove support for API 23-25, that would involve the
introduction of a new SELinux domain (and the associated rule
explosion), which I would prefer to avoid.
This change helps protect application executable code from modification,
enforcing W^X properties on executable code pages loaded from files.
https://en.wikipedia.org/wiki/W%5EX
Test: auditallow rules were added and nothing triggered for apps
targeting API >= 26. Code compiles and device boots.
Bug: 111544476
Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 09207e2..48a7c45 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -46,3 +46,7 @@
allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
r_dir_file(untrusted_app_25, proc_qtaguid_stat)
allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
+
+# Text relocation support for API < 23
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;