diff --git a/domain.te b/domain.te
index eda9091d0f3b41809fd57c9dac6bcaf1900b9512..ab319998a277e9a67ce152f09a466889a9b208b1 100644
--- a/domain.te
+++ b/domain.te
@@ -414,6 +414,11 @@ neverallow domain {
   -asec_public_file
 }:file execmod;
 
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow domain self:process { execstack execheap };
+
 # TODO: prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
 # neverallow { domain -appdomain } file_type:file execmod;