neverallow cache_file and derivatives execute

Change-Id: I45002cfd05e4e184bfc66039b3ae9a4af057adb1
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
This commit is contained in:
William Roberts 2015-05-14 13:16:40 -07:00
parent e5916eb67b
commit 6c30016136

View file

@ -294,6 +294,8 @@ neverallow {
-appdomain # for oemfs -appdomain # for oemfs
-recovery # for /tmp/update_binary in tmpfs -recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute; } { fs_type -rootfs }:file execute;
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file }:file execute;
# Only the init property service should write to /data/property. # Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir no_w_dir_perms; neverallow { domain -init } property_data_file:dir no_w_dir_perms;