remove base system app execmem

GrapheneOS doesn't use the ART JIT compiler.

Signed-off-by: anupritaisno1 <[email protected]>

Author: renlord

prebuilts/api/30.0/private/ephemeral_app.te

@@ -16,6 +16,9 @@ typeattribute ephemeral_app coredomain;
 net_domain(ephemeral_app)
 app_domain(ephemeral_app)
 
+allow ephemeral_app self:process execmem;
+auditallow ephemeral_app self:process execmem;
+
 # Allow ephemeral apps to read/write files in visible storage if provided fds
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
 

prebuilts/api/30.0/private/isolated_app.te

@@ -10,6 +10,9 @@ typeattribute isolated_app coredomain;
 
 app_domain(isolated_app)
 
+allow isolated_app self:process execmem;
+auditallow isolated_app self:process execmem;
+
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
 

prebuilts/api/30.0/private/untrusted_app.te

@@ -14,3 +14,6 @@ app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
+
+allow untrusted_app self:process execmem;
+auditallow untrusted_app self:process execmem;

prebuilts/api/30.0/private/untrusted_app_25.te

@@ -15,6 +15,9 @@ untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)
 bluetooth_domain(untrusted_app_25)
 
+allow untrusted_app_25 self:process execmem;
+auditallow untrusted_app_25 self:process execmem;
+
 # b/35917228 - /proc/misc access
 # This will go away in a future Android release
 allow untrusted_app_25 proc_misc:file r_file_perms;

prebuilts/api/30.0/private/untrusted_app_27.te

@@ -15,6 +15,9 @@ untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
 
+allow untrusted_app_27 self:process execmem;
+auditallow untrusted_app_27 self:process execmem;
+
 # Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
 # https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
 allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;

prebuilts/api/30.0/private/untrusted_app_29.te

@@ -15,5 +15,8 @@ untrusted_app_domain(untrusted_app_29)
 net_domain(untrusted_app_29)
 bluetooth_domain(untrusted_app_29)
 
+allow untrusted_app_29 self:process execmem;
+auditallow untrusted_app_29 self:process execmem;
+
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };

prebuilts/api/30.0/public/app.te

@@ -8,10 +8,6 @@
 ###
 type appdomain_tmpfs, file_type;
 
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-auditallow appdomain self:process execmem;
-
 allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
 

private/ephemeral_app.te

@@ -16,6 +16,9 @@ typeattribute ephemeral_app coredomain;
 net_domain(ephemeral_app)
 app_domain(ephemeral_app)
 
+allow ephemeral_app self:process execmem;
+auditallow ephemeral_app self:process execmem;
+
 # Allow ephemeral apps to read/write files in visible storage if provided fds
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
 

private/isolated_app.te

@@ -10,6 +10,9 @@ typeattribute isolated_app coredomain;
 
 app_domain(isolated_app)
 
+allow isolated_app self:process execmem;
+auditallow isolated_app self:process execmem;
+
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
 

private/untrusted_app.te

@@ -14,3 +14,6 @@ app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
+
+allow untrusted_app self:process execmem;
+auditallow untrusted_app self:process execmem;

private/untrusted_app_25.te

@@ -15,6 +15,9 @@ untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)
 bluetooth_domain(untrusted_app_25)
 
+allow untrusted_app_25 self:process execmem;
+auditallow untrusted_app_25 self:process execmem;
+
 # b/35917228 - /proc/misc access
 # This will go away in a future Android release
 allow untrusted_app_25 proc_misc:file r_file_perms;

private/untrusted_app_27.te

@@ -15,6 +15,9 @@ untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
 
+allow untrusted_app_27 self:process execmem;
+auditallow untrusted_app_27 self:process execmem;
+
 # Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
 # https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
 allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;

private/untrusted_app_29.te

@@ -15,5 +15,8 @@ untrusted_app_domain(untrusted_app_29)
 net_domain(untrusted_app_29)
 bluetooth_domain(untrusted_app_29)
 
+allow untrusted_app_29 self:process execmem;
+auditallow untrusted_app_29 self:process execmem;
+
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };

public/app.te

@@ -8,10 +8,6 @@
 ###
 type appdomain_tmpfs, file_type;
 
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-auditallow appdomain self:process execmem;
-
 allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;