add execmod to various app domains
NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.
Addresses the following error / denial:
06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
<4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app
Expected:
App runs
Actual:
App crashes with error above.
Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
diff --git a/untrusted_app.te b/untrusted_app.te
index b7a2cef..50a02da 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -27,7 +27,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file rx_file_perms;
+allow untrusted_app app_data_file:file { rx_file_perms execmod };
allow untrusted_app tun_device:chr_file rw_file_perms;
@@ -35,7 +35,7 @@
allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms;
# Execute libs in asec containers.
-allow untrusted_app asec_public_file:file execute;
+allow untrusted_app asec_public_file:file { execute execmod };
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm