From 78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 2 Jun 2014 14:49:10 -0700
Subject: [PATCH] add execmod to various app domains

NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.

Addresses the following error / denial:

  06-02 13:28:59.495  3634  3634 W linker  : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
  <4>[   57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app

Expected:
  App runs

Actual:
  App crashes with error above.

Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
---
 app.te           | 2 +-
 untrusted_app.te | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app.te b/app.te
index 0049fe47d..eadf5390b 100644
--- a/app.te
+++ b/app.te
@@ -51,7 +51,7 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute execute_no_trans open };
+allow appdomain system_data_file:file { execute execute_no_trans open execmod };
 
 # Access to OEM provided data and apps
 allow appdomain oemfs:dir r_dir_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index b7a2cef6c..50a02da68 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -27,7 +27,7 @@ bluetooth_domain(untrusted_app)
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file rx_file_perms;
+allow untrusted_app app_data_file:file { rx_file_perms execmod };
 
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
@@ -35,7 +35,7 @@ allow untrusted_app tun_device:chr_file rw_file_perms;
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;
 # Execute libs in asec containers.
-allow untrusted_app asec_public_file:file execute;
+allow untrusted_app asec_public_file:file { execute execmod };
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm