Eirikr70 Dynamic code loading is a way for an app to import code from an external server and execute it on your phone "as if it were part of the app".
GrapheneOS' impl by @muhomorr goes further than this. "DCL via memory" will not let even JITs or dynamic compiler or recompilers to run! That's a strictly higher bar.
- zygote on GrapheneOS drops in selinux attributes at runtime for app processes to restrict loading of executable pages (commit).
- ART cannot JIT (commit).
- Executable
ashmem and memfds are disallowed. Though, I'm surprised these need to be protected separately (commit).
Those checks are in addition to runtime checks to disallow loading in dexfiles ("DCL via storage"). I'm unsure how native library loading from storage is prevented though (I spot no ART changes in places I'm looking).
GrapheneOS' DCL restrictions totally resembles iOS' "lockdown mode" at this stage & GrapheneOS should consider re-branding this feature (given "DCL" means a very specific thing, which is loading dexfiles/libraries on the fly, to Android developers).