From 4644ac483667befac441bb541733e489d902bacf Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 21 Jul 2014 10:21:20 -0400
Subject: [PATCH] Prohibit execute to fs_type other than rootfs for most
 domains.

Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs.  Include exceptions for
appdomain and recovery as required by current policy.

Change-Id: I73d70ab04719a67f71e48ac795025f2ccd5da385
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 091345398..015274bf0 100644
--- a/domain.te
+++ b/domain.te
@@ -265,7 +265,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_ty
 
 #
 # Assert that, to the extent possible, we're not loading executable content from
-# outside the /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
 #
 neverallow {
     domain
@@ -276,6 +276,11 @@ neverallow {
     -system_server
     -zygote
 } { file_type -system_file -exec_type }:file execute;
+neverallow {
+    domain
+    -appdomain # for oemfs
+    -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
 
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
-- 
GitLab