diff --git a/domain.te b/domain.te
index a464ae9a8ae4e1b72c39df7b505cbc9117926a95..a56d9c158b414800d674ba8a132c97293f564002 100644
--- a/domain.te
+++ b/domain.te
@@ -304,6 +304,18 @@ neverallow {
 # Files from cache should never be executed
 neverallow domain { cache_file cache_backup_file }:file execute;
 
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+  domain
+  -untrusted_app
+  -shell
+} {
+  data_file_type
+  -dalvikcache_data_file
+  -system_data_file # shared libs in apks
+  -apk_data_file
+}:file no_x_file_perms;
+
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file no_w_file_perms;
diff --git a/system_server.te b/system_server.te
index 0b18eb4b6db1d5dfcd3f2367c9c83b88307ccc25..905f12744d70d4fa39d1ba30ecb61f56f62523f4 100644
--- a/system_server.te
+++ b/system_server.te
@@ -453,6 +453,12 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app
 # want to allow.
 neverallow system_server dex2oat_exec:file no_x_file_perms;
 
+# system_server should never execute anything from /data except for /data/dalvik-cache files.
+neverallow system_server {
+  data_file_type
+  -dalvikcache_data_file #mapping with PROT_EXEC
+}:file no_x_file_perms;
+
 # The only block device system_server should be accessing is
 # the frp_block_device. This helps avoid a system_server to root
 # escalation by writing to raw block devices.
diff --git a/zygote.te b/zygote.te
index 8ff32a4539c904d77c5bf02a3f06dd32f71463e5..139df85ded2398047ba2035dfbc4afe8f68873a7 100644
--- a/zygote.te
+++ b/zygote.te
@@ -79,3 +79,9 @@ allow zygote zygote_exec:file rx_file_perms;
 # setcon (dyntransition) to any types other than those associated
 # with appdomain plus system_server.
 neverallow zygote ~{ appdomain system_server }:process dyntransition;
+
+# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+neverallow zygote {
+  data_file_type
+  -dalvikcache_data_file # map PROT_EXEC
+}:file no_x_file_perms;