From 50ba6318419fc56366377c042f56cec5a2414c51 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 21 Apr 2016 17:08:41 -0700
Subject: [PATCH] Add no_x_file_perm to property related files.

It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507
Change-Id: Iaa83e3ac543b2221e1178c563e18298305de6da2
---
 domain.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/domain.te b/domain.te
index dfc555886..6efb86dc3 100644
--- a/domain.te
+++ b/domain.te
@@ -273,10 +273,10 @@ neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_
 
 # Only the init property service should write to /data/property and /dev/__properties__
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file no_w_file_perms;
-neverallow { domain -init } property_type:file no_w_file_perms;
-neverallow { domain -init } properties_device:file no_w_file_perms;
-neverallow { domain -init } properties_serial:file no_w_file_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
-- 
GitLab