Prohibit execute to fs_type other than rootfs for most domains. Augment the already existing neverallow on loading executable content from file types other than /system with one on loading executable content from filesystem types other than the rootfs. Include exceptions for appdomain and recovery as required by current policy. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 4644ac483667befac441bb541733e489d902bacf) Change-Id: I5e2609a128d1bf982a7a5c3fa3140d1e9346c621

commit: 9d2703a53b5455379d5c90d52a6fb31a0a36757c [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Mon Jul 21 10:21:20 2014 -0400
committer: Nick Kralevich <nnk@google.com> Mon Jul 21 10:07:31 2014 -0700
tree: 8212619dba14ad82ac22161310cdd694686632b9
parent: 3cfc7ea89f44f822cb44c87916b1847eecd44eb7 [diff]
diff --git a/domain.te b/domain.te
index 2ed20bb..ba4c65a 100644
--- a/domain.te
+++ b/domain.te

@@ -263,7 +263,7 @@
 
 #
 # Assert that, to the extent possible, we're not loading executable content from
-# outside the /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
 #
 neverallow {
     domain
@@ -274,6 +274,11 @@
     -system_server
     -zygote
 } { file_type -system_file -exec_type }:file execute;
+neverallow {
+    domain
+    -appdomain # for oemfs
+    -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
 
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
commit	9d2703a53b5455379d5c90d52a6fb31a0a36757c	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Mon Jul 21 10:21:20 2014 -0400
committer	Nick Kralevich <nnk@google.com>	Mon Jul 21 10:07:31 2014 -0700
tree	8212619dba14ad82ac22161310cdd694686632b9
parent	3cfc7ea89f44f822cb44c87916b1847eecd44eb7 [diff]