commit ea0c294c6c875997ae963f82d318feaea4a5b0c5
author Nick Kralevich <nnk@google.com> Thu Apr 21 17:08:41 2016 -0700
committer Nick Kralevich <nnk@google.com> Thu Apr 28 06:26:04 2016 -0700
tree b29408066858bfe19e8ea7a05feae4d42a6ccb91
parent 24a7f1679fed8783aa20501d5df93296d4c540c1

Add no_x_file_perm to property related files.

It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507

(cherry picked from commit 50ba6318419fc56366377c042f56cec5a2414c51)

Change-Id: Ifab6e46a077a87629b4d3c7ada1050f2ab6931d5

domain.te

diff --git a/domain.te b/domain.te
index 2b4f68c..0f5590b 100644
--- a/domain.te
+++ b/domain.te
@@ -304,10 +304,10 @@
 
 # Only the init property service should write to /data/property and /dev/__properties__
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file no_w_file_perms;
-neverallow { domain -init } property_type:file no_w_file_perms;
-neverallow { domain -init } properties_device:file no_w_file_perms;
-neverallow { domain -init } properties_serial:file no_w_file_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set