add execmod to various app domains

NDK r8c and below induced text relocations into every NDK compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203). For compatibility, we need to support shared libraries with text relocations in them. Addresses the following error / denial: 06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix. <4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Steps to reproduce: 1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air) 2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd) 3) Attempt to run Play & Learn app Expected: App runs Actual: App crashes with error above. Bug: 15388851 Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663

add execmod to various app domains
78706f9e · Nick Kralevich · 3957ae73 · 78706f9e · 78706f9e
Commit 78706f9e authored 10 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
@@ -51,7 +51,7 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;

 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute execute_no_trans open };
+allow appdomain system_data_file:file { execute execute_no_trans open execmod };

 # Access to OEM provided data and apps
 allow appdomain oemfs:dir r_dir_perms;

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -27,7 +27,7 @@ bluetooth_domain(untrusted_app)

 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file rx_file_perms;
+allow untrusted_app app_data_file:file { rx_file_perms execmod };

 allow untrusted_app tun_device:chr_file rw_file_perms;

@@ -35,7 +35,7 @@ allow untrusted_app tun_device:chr_file rw_file_perms;
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;
 # Execute libs in asec containers.
-allow untrusted_app asec_public_file:file execute;
+allow untrusted_app asec_public_file:file { execute execmod };

 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm