From ad7df7bb76ce00cdef711ad1f96a9a7243981f4e Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 20 Dec 2013 08:24:12 -0500
Subject: [PATCH] Remove execmem permission from domain, add to appdomain.

execmem permission controls the ability to make an anonymous
mapping executable or to make a private file mapping writable
and executable.  Remove this permission from domain (i.e.
all domains) by default, and add it explicitly to app domains.
It is already allowed in other specific .te files as required.
There may be additional cases in device-specific policy where
it is required for proprietary binaries.

Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te    | 3 +++
 domain.te | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index f53f633c4..80c40aac8 100644
--- a/app.te
+++ b/app.te
@@ -7,6 +7,9 @@
 ### zygote spawned apps should be added here.
 ###
 
+# Dalvik Compiler JIT Mapping.
+allow appdomain self:process execmem;
+
 # Allow apps to connect to the keystore
 unix_socket_connect(appdomain, keystore, keystore)
 
diff --git a/domain.te b/domain.te
index d0e3ff43a..826a67fc4 100644
--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,7 @@ allow domain tmpfs:file { read getattr };
 allow domain tmpfs:dir r_dir_perms;
 
 # Intra-domain accesses.
-allow domain self:process ~{ execstack execheap ptrace };
+allow domain self:process ~{ execmem execstack execheap ptrace };
 allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
-- 
GitLab