am 7028bdcc: neverallow: domain execute data_file_type

* commit '7028bdcc':
  neverallow: domain execute data_file_type

domain.te

@@ -304,6 +304,18 @@ neverallow {
 # Files from cache should never be executed
 neverallow domain { cache_file cache_backup_file }:file execute;
 
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+  domain
+  -untrusted_app
+  -shell
+} {
+  data_file_type
+  -dalvikcache_data_file
+  -system_data_file # shared libs in apks
+  -apk_data_file
+}:file no_x_file_perms;
+
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file no_w_file_perms;

system_server.te

@@ -453,6 +453,12 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app
 # want to allow.
 neverallow system_server dex2oat_exec:file no_x_file_perms;
 
+# system_server should never execute anything from /data except for /data/dalvik-cache files.
+neverallow system_server {
+  data_file_type
+  -dalvikcache_data_file #mapping with PROT_EXEC
+}:file no_x_file_perms;
+
 # The only block device system_server should be accessing is
 # the frp_block_device. This helps avoid a system_server to root
 # escalation by writing to raw block devices.

zygote.te

@@ -79,3 +79,9 @@ allow zygote zygote_exec:file rx_file_perms;
 # setcon (dyntransition) to any types other than those associated
 # with appdomain plus system_server.
 neverallow zygote ~{ appdomain system_server }:process dyntransition;
+
+# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+neverallow zygote {
+  data_file_type
+  -dalvikcache_data_file # map PROT_EXEC
+}:file no_x_file_perms;