Prohibit execute to fs_type other than rootfs for most domains.

Augment the already existing neverallow on loading executable content from file types other than /system with one on loading executable content from filesystem types other than the rootfs. Include exceptions for appdomain and recovery as required by current policy. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 4644ac48) Change-Id: I5e2609a128d1bf982a7a5c3fa3140d1e9346c621

Prohibit execute to fs_type other than rootfs for most domains.
9d2703a5 · Stephen Smalley · Nick Kralevich · 3cfc7ea8 · 9d2703a5
Commit 9d2703a5 authored 10 years ago by Stephen Smalley Committed by Nick Kralevich 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -263,7 +263,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_ty

 #
 # Assert that, to the extent possible, we're not loading executable content from
-# outside the /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
 #
 neverallow {
    domain
@@ -274,6 +274,11 @@ neverallow {
    -system_server
    -zygote
 } { file_type -system_file -exec_type }:file execute;
+neverallow {
+    domain
+    -appdomain # for oemfs
+    -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;

 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };