tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "neverallow PROT_EXEC stack or heap."

Browse source
This commit is contained in:
Daniel Cashman 2015-06-25 21:17:14 +00:00 committed by Gerrit Code Review
commit 33edd308bd
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
domain.te
View file

@ -414,6 +414,11 @@ neverallow domain {
-asec_public_file -asec_public_file
}:file execmod; }:file execmod;
# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
neverallow domain self:process { execstack execheap };
# TODO: prohibit non-zygote spawned processes from using shared libraries # TODO: prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 . # with text relocations. b/20013628 .
# neverallow { domain -appdomain } file_type:file execmod; # neverallow { domain -appdomain } file_type:file execmod;