Revert "Revert "Strip exec* permissions from unconfined domains.""

The recovery console now has its own domain and therefore we do not
need to allow this for unconfined domains.

This reverts commit 89740a6967.

Change-Id: Ie060cff0de8cbd206e0e55e196021726e52246c7

unconfined.te

@@ -19,7 +19,7 @@
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
-allow unconfineddomain domain:process ~ptrace;
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;
@@ -29,9 +29,9 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto};
-allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
-allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;