Remove execmem permission from domain, add to appdomain.

execmem permission controls the ability to make an anonymous mapping executable or to make a private file mapping writable and executable. Remove this permission from domain (i.e. all domains) by default, and add it explicitly to app domains. It is already allowed in other specific .te files as required. There may be additional cases in device-specific policy where it is required for proprietary binaries. Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove execmem permission from domain, add to appdomain.
ad7df7bb · Stephen Smalley · 527316a2 · ad7df7bb · ad7df7bb
Commit ad7df7bb authored 11 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -7,6 +7,9 @@
 ### zygote spawned apps should be added here.
 ###

+# Dalvik Compiler JIT Mapping.
+allow appdomain self:process execmem;
+
 # Allow apps to connect to the keystore
 unix_socket_connect(appdomain, keystore, keystore)


--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,7 @@ allow domain tmpfs:file { read getattr };
 allow domain tmpfs:dir r_dir_perms;

 # Intra-domain accesses.
-allow domain self:process ~{ execstack execheap ptrace };
+allow domain self:process ~{ execmem execstack execheap ptrace };
 allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;