Remove legacy execmod access from API >= 26.

Text relocation support was removed from the linker for apps targeting
API >= 23. See
https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23

However, the security policy was not updated to remove the execmod
permission at that time, since we didn't have support for targeting
SELinux policies to API versions.

Remove execmod permissions for apps targeting API 26 or greater. The
linker support was removed, so it's pointless to keep around the SELinux
permissions.

Retain execmod support for apps targeting API 25 or lower. While in
theory we could remove support for API 23-25, that would involve the
introduction of a new SELinux domain (and the associated rule
explosion), which I would prefer to avoid.

This change helps protect application executable code from modification,
enforcing W^X properties on executable code pages loaded from files.
https://en.wikipedia.org/wiki/W%5EX

Test: auditallow rules were added and nothing triggered for apps
      targeting API >= 26. Code compiles and device boots.
Bug: 111544476

Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41

private/untrusted_app_25.te

@@ -46,3 +46,7 @@ allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
 allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
 r_dir_file(untrusted_app_25, proc_qtaguid_stat)
 allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
+
+# Text relocation support for API < 23
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;

private/untrusted_app_all.te

@@ -20,13 +20,9 @@
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
 ### added to ephemeral_app.te.
 
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
-
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
-allow untrusted_app_all app_data_file:file execmod;
 
 # Executing files from an application home directory violates
 # W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
@@ -38,7 +34,7 @@ auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
 # Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
+allow untrusted_app_all asec_public_file:file { execute };
 
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
@@ -157,10 +153,6 @@ userdebug_or_eng(`
   }:{ dir file lnk_file } { getattr open read };
 ')
 
-# Temporary auditing to get data on what apps use execmod.
-# TODO(b/111544476) Remove this and deny the permission if feasible.
-auditallow untrusted_app_all { apk_data_file app_data_file asec_public_file }:file execmod;
-
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this

public/domain.te

@@ -1134,9 +1134,9 @@ neverallow * {
 # required by some device-specific service domains.
 neverallow * self:process { execstack execheap };
 
-# prohibit non-zygote spawned processes from using shared libraries
-# with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_all } file_type:file execmod;
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+neverallow { domain -untrusted_app_25 } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;