Merge "neverallow PROT_EXEC stack or heap."

2015-06-25 21:17:14 +00:00 · 2015-06-25 21:17:14 +00:00 · 33edd308bd
commit 33edd308bd
parent 7d65b547d3 5328d9749d
1 changed files with 5 additions and 0 deletions
--- a/domain.te
+++ b/domain.te
@ -414,6 +414,11 @@ neverallow domain {
  -asec_public_file
 }:file execmod;

+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow domain self:process { execstack execheap };
+
 # TODO: prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
 # neverallow { domain -appdomain } file_type:file execmod;