From 998ce77f845cba7f14d4f54de3e87ebf9deafaed Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 1 Apr 2015 17:41:41 -0700
Subject: [PATCH] domain: relax execmod restrictions

Some devices still have pre-built binaries with text relocations
on them. As a result, it's premature to assert a neverallow rule
for files in /system

Bug: 20013628
Change-Id: I3a1e43db5c610164749dee6882f645a0559c789b
---
 domain.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 3a846596f..5a3d3c93c 100644
--- a/domain.te
+++ b/domain.te
@@ -390,10 +390,13 @@ neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_
 # which, long term, need to go away.
 neverallow domain {
   file_type
+  -system_file      # needs to die. b/20013628
   -system_data_file
   -apk_data_file
   -app_data_file
   -asec_public_file
 }:file execmod;
 
-neverallow { domain -appdomain } file_type:file execmod;
+# TODO: prohibit non-zygote spawned processes from using shared libraries
+# with text relocations. b/20013628 .
+# neverallow { domain -appdomain } file_type:file execmod;
-- 
GitLab