diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 96ae0e802..a35d81bd8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -42,7 +42,7 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
 # This will go away in a future Android release
 allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
 
-# Text relocation support for API < 23
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
 # https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
 allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
 
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index f9cd460df..eaa1791e6 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -27,6 +27,10 @@ untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
 
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
+
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;
diff --git a/public/domain.te b/public/domain.te
index 5a964c995..634a5c558 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1118,7 +1118,7 @@ neverallow * self:process { execstack execheap };
 
 # Do not allow the introduction of new execmod rules. Text relocations
 # and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 } file_type:file execmod;
+neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;