From 7ffb9972076bfbd2abab1df6b4d759d14d55af96 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 14 May 2014 14:05:49 -0400
Subject: [PATCH] Neverallow low memory mappings.

This just adds a neverallow rule to ensure we never
add an allow rule permitting such mappings.

Change-Id: Id20463b26e0eac5b7629326f68b3b94713108cc2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/domain.te b/domain.te
index 7f0347a10..b8ddc2e18 100644
--- a/domain.te
+++ b/domain.te
@@ -153,6 +153,9 @@ neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability
 # Limit device node creation and raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
 
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow domain self:memprotect mmap_zero;
+
 # No domain needs mac_override as it is unused by SELinux.
 neverallow domain self:capability2 mac_override;
 
-- 
GitLab