neverallow: domain execute data_file_type

To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.

Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.

Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: William Roberts <>
3 files changed