Prohibit execute to fs_type other than rootfs for most domains.

Augment the already existing neverallow on loading executable content from file types other than /system with one on loading executable content from filesystem types other than the rootfs. Include exceptions for appdomain and recovery as required by current policy. Change-Id: I73d70ab04719a67f71e48ac795025f2ccd5da385 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Prohibit execute to fs_type other than rootfs for most domains.
4644ac48 · Stephen Smalley · 958ef563 · 4644ac48
Commit 4644ac48 authored 10 years ago by Stephen Smalley
--- a/domain.te
+++ b/domain.te
@@ -265,7 +265,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_ty

 #
 # Assert that, to the extent possible, we're not loading executable content from
-# outside the /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
 #
 neverallow {
    domain
@@ -276,6 +276,11 @@ neverallow {
    -system_server
    -zygote
 } { file_type -system_file -exec_type }:file execute;
+neverallow {
+    domain
+    -appdomain # for oemfs
+    -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;

 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };