From 7028bdccd5b3e91928d345990587738212973f1d Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 22 Jun 2015 07:26:26 -0700
Subject: [PATCH] neverallow: domain execute data_file_type

To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.

Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.

Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 domain.te        | 12 ++++++++++++
 system_server.te |  6 ++++++
 zygote.te        |  6 ++++++
 3 files changed, 24 insertions(+)

diff --git a/domain.te b/domain.te
index ab319998a..19797c6e2 100644
--- a/domain.te
+++ b/domain.te
@@ -304,6 +304,18 @@ neverallow {
 # Files from cache should never be executed
 neverallow domain { cache_file cache_backup_file }:file execute;
 
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+  domain
+  -untrusted_app
+  -shell
+} {
+  data_file_type
+  -dalvikcache_data_file
+  -system_data_file # shared libs in apks
+  -apk_data_file
+}:file no_x_file_perms;
+
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file no_w_file_perms;
diff --git a/system_server.te b/system_server.te
index 4cb0e8212..2a1664210 100644
--- a/system_server.te
+++ b/system_server.te
@@ -440,6 +440,12 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app
 # want to allow.
 neverallow system_server dex2oat_exec:file no_x_file_perms;
 
+# system_server should never execute anything from /data except for /data/dalvik-cache files.
+neverallow system_server {
+  data_file_type
+  -dalvikcache_data_file #mapping with PROT_EXEC
+}:file no_x_file_perms;
+
 # The only block device system_server should be accessing is
 # the frp_block_device. This helps avoid a system_server to root
 # escalation by writing to raw block devices.
diff --git a/zygote.te b/zygote.te
index 2b869c0e4..6d5d521a9 100644
--- a/zygote.te
+++ b/zygote.te
@@ -78,3 +78,9 @@ allow zygote zygote_exec:file rx_file_perms;
 # setcon (dyntransition) to any types other than those associated
 # with appdomain plus system_server.
 neverallow zygote ~{ appdomain system_server }:process dyntransition;
+
+# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+neverallow zygote {
+  data_file_type
+  -dalvikcache_data_file # map PROT_EXEC
+}:file no_x_file_perms;