From 6c30016136b8ad0bc52a14fb50c6ddd449811cde Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@linux.intel.com>
Date: Thu, 14 May 2015 13:16:40 -0700
Subject: [PATCH] neverallow cache_file and derivatives execute

Change-Id: I45002cfd05e4e184bfc66039b3ae9a4af057adb1
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
---
 domain.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/domain.te b/domain.te
index bd59be158..e544281f1 100644
--- a/domain.te
+++ b/domain.te
@@ -294,6 +294,8 @@ neverallow {
     -appdomain # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
+# Files from cache should never be executed
+neverallow domain { cache_file cache_backup_file }:file execute;
 
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;