Rework neverallow for /data execute permission

am: c5266df9 Change-Id: Ic641868482260a74a5cf656d8c34e08bfdbab91a

Rework neverallow for /data execute permission
5b1cdbca · Eino-Ville Talvala · android-build-merger · 3f2b6600 · c5266df9 · 5b1cdbca
Commit 5b1cdbca authored 9 years ago by Eino-Ville Talvala Committed by android-build-merger 9 years ago
--- a/app.te
+++ b/app.te
@@ -432,6 +432,22 @@ neverallow appdomain {
  tmpfs
 }:lnk_file no_w_file_perms;

+# Blacklist app domains not allowed to execute from /data
+neverallow {
+  bluetooth
+  isolated_app
+  nfc
+  platform_app
+  radio
+  shared_relro
+  system_app
+} {
+  data_file_type
+  -dalvikcache_data_file
+  -system_data_file # shared libs in apks
+  -apk_data_file
+}:file no_x_file_perms;
+
 # Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
 neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
 neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
--- a/domain.te
+++ b/domain.te
@@ -288,9 +288,7 @@ neverallow domain { cache_file cache_backup_file cache_private_backup_file cache
 # Protect most domains from executing arbitrary content from /data.
 neverallow {
  domain
-  -untrusted_app
-  -priv_app
-  -shell
+  -appdomain
 } {
  data_file_type
  -dalvikcache_data_file
@@ -502,6 +500,11 @@ neverallow {
  -zygote
 } shell:process { transition dyntransition };

+# Only domains spawned from zygote and runas may have the appdomain attribute.
+neverallow { domain -runas -zygote } {
+  appdomain -shell userdebug_or_eng(`-su')
+}:process { transition dyntransition };
+
 # Minimize read access to shell- or app-writable symlinks.
 # This is to prevent malicious symlink attacks.
 neverallow {