Update text relocation neverallow assertions

1) Don't allow any SELinux domain to attempt to perform a text relocation on a file from the /system partition. It's not supported and should never be attempted. 2) Completely block any non-app SELinux domains from using text relocations, regardless of the source. Bug: 20013628 Change-Id: I82573398d0d5586264a717a1e400a3dbc7793fe3

Update text relocation neverallow assertions
89424bf9 · Nick Kralevich · 59019fd7 · 89424bf9
Commit 89424bf9 authored 9 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -417,7 +417,6 @@ neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_
 # which, long term, need to go away.
 neverallow domain {
  file_type
-  -system_file      # needs to die. b/20013628
  -system_data_file
  -apk_data_file
  -app_data_file
@@ -429,9 +428,9 @@ neverallow domain {
 # required by some device-specific service domains.
 neverallow domain self:process { execstack execheap };
-# TODO: prohibit non-zygote spawned processes from using shared libraries
+# prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
-# neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -appdomain } file_type:file execmod;
 neverallow { domain -init } proc:{ file dir } mounton;