From 629fbc9540b4ab6d780cfa8442160b4923373021 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 23 May 2014 16:08:23 -0700
Subject: [PATCH] Assert executable content (mostly) only loaded from /system

Add a compile time assertion that most SELinux domains don't
execute code from outside of the system partition.

Exceptions are listed in the neverallow rule.

Change-Id: I8166e29a269adca11661df3c6cda4448a42ca30d
---
 domain.te | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/domain.te b/domain.te
index f7e86923f..b0d7c95d6 100644
--- a/domain.te
+++ b/domain.te
@@ -232,3 +232,17 @@ neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read wri
 # sdcard_type / vfat is exempt as a larger set of domains need
 # this capability, including device-specific domains.
 neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the /system partition except for a few whitelisted domains.
+#
+neverallow {
+    domain
+    -appdomain
+    -dumpstate
+    -shelldomain
+    userdebug_or_eng(`-su')
+    -system_server
+    -zygote
+} { file_type -system_file -exec_type }:file execute;
-- 
GitLab