From 5328d9749db00e8bbb0587913e5cc8bd8281db24 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 22 Jun 2015 12:42:59 -0400
Subject: [PATCH] neverallow PROT_EXEC stack or heap.

Despite removing these from AOSP policy they seem to still be
present in device policies.  Prohibit them via neverallow.

We would also like to minimize execmem to only app domains
and others using ART, but that will first require eliminating it
from device-specific service domains (which may only have it
due to prior incorrect handling of text relocations).

Change-Id: Id1f49566779d9877835497d8ec7537abafadadc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/domain.te b/domain.te
index eda9091d0..ab319998a 100644
--- a/domain.te
+++ b/domain.te
@@ -414,6 +414,11 @@ neverallow domain {
   -asec_public_file
 }:file execmod;
 
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow domain self:process { execstack execheap };
+
 # TODO: prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
 # neverallow { domain -appdomain } file_type:file execmod;
-- 
GitLab