Merge "Allow execmod for apps with targetSdkVersion=26-28" am: 61f28b33a4 am: 7bc1740052

am: ceeee0e4cf

Change-Id: I5d53177d04caad0ca70dca0703e4c350365bdda4

private/untrusted_app_25.te

@@ -42,7 +42,7 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
 # This will go away in a future Android release
 allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
 
-# Text relocation support for API < 23
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
 # https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
 allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
 

private/untrusted_app_27.te

@@ -27,6 +27,10 @@ untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
 
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
+
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;

public/domain.te

@@ -1118,7 +1118,7 @@ neverallow * self:process { execstack execheap };
 
 # Do not allow the introduction of new execmod rules. Text relocations
 # and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 } file_type:file execmod;
+neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;