Assert executable content (mostly) only loaded from /system

Add a compile time assertion that most SELinux domains don't execute code from outside of the system partition. Exceptions are listed in the neverallow rule. Change-Id: I8166e29a269adca11661df3c6cda4448a42ca30d

Assert executable content (mostly) only loaded from /system
629fbc95 · Nick Kralevich · ccb9f7a1 · 629fbc95
Commit 629fbc95 authored 10 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -232,3 +232,17 @@ neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read wri
 # sdcard_type / vfat is exempt as a larger set of domains need
 # this capability, including device-specific domains.
 neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the /system partition except for a few whitelisted domains.
+#
+neverallow {
+    domain
+    -appdomain
+    -dumpstate
+    -shelldomain
+    userdebug_or_eng(`-su')
+    -system_server
+    -zygote
+} { file_type -system_file -exec_type }:file execute;