Merge "allow procrank to write to bug report"
diff --git a/domain.te b/domain.te
index ab31999..19797c6 100644
--- a/domain.te
+++ b/domain.te
@@ -304,6 +304,18 @@
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file }:file execute;
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -untrusted_app
+ -shell
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file no_w_file_perms;
diff --git a/system_server.te b/system_server.te
index 4cb0e82..2a16642 100644
--- a/system_server.te
+++ b/system_server.te
@@ -440,6 +440,12 @@
# want to allow.
neverallow system_server dex2oat_exec:file no_x_file_perms;
+# system_server should never execute anything from /data except for /data/dalvik-cache files.
+neverallow system_server {
+ data_file_type
+ -dalvikcache_data_file #mapping with PROT_EXEC
+}:file no_x_file_perms;
+
# The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root
# escalation by writing to raw block devices.
diff --git a/zygote.te b/zygote.te
index 2b869c0..6d5d521 100644
--- a/zygote.te
+++ b/zygote.te
@@ -78,3 +78,9 @@
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
neverallow zygote ~{ appdomain system_server }:process dyntransition;
+
+# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+neverallow zygote {
+ data_file_type
+ -dalvikcache_data_file # map PROT_EXEC
+}:file no_x_file_perms;