From 359101ac289ad75653c954c07166bc658900bd28 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 24 Mar 2015 06:03:52 -0700
Subject: [PATCH] add neverallow rules for execmod

Android has long enforced that code can't compile with text
relocations present. Add a compile time assertion to prevent
regressions.

Change-Id: Iab35267ce640c1fad9dc82b90d22e70e861321b7
---
 domain.te | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/domain.te b/domain.te
index 32aa9004c..12633c827 100644
--- a/domain.te
+++ b/domain.te
@@ -381,3 +381,18 @@ neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file
 # On userdebug/eng builds, only dumpstate, shell, and
 # su itself execute su.
 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow domain {
+  file_type
+  -system_data_file
+  -apk_data_file
+  -app_data_file
+  -asec_public_file
+}:file execmod;
+
+neverallow { domain -appdomain } file_type:file execmod;
-- 
GitLab