neverallow PROT_EXEC stack or heap.

Despite removing these from AOSP policy they seem to still be present in device policies. Prohibit them via neverallow. We would also like to minimize execmem to only app domains and others using ART, but that will first require eliminating it from device-specific service domains (which may only have it due to prior incorrect handling of text relocations). Change-Id: Id1f49566779d9877835497d8ec7537abafadadc4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

neverallow PROT_EXEC stack or heap.
5328d974 · Stephen Smalley · 9c7570ef · 5328d974
Commit 5328d974 authored 9 years ago by Stephen Smalley
--- a/domain.te
+++ b/domain.te
@@ -414,6 +414,11 @@ neverallow domain {
  -asec_public_file
 }:file execmod;

+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow domain self:process { execstack execheap };
+
 # TODO: prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
 # neverallow { domain -appdomain } file_type:file execmod;