Mount /data with MS_NOEXEC We want to ensure that W^X is guaranteed for Microdroid VMs. This change doesn't guarantee that W^X is enforced for FULL_DEBUG VMs, as a user can enable adb root, and remount the /data without MS_NOEXEC flag. This is intended, as it allows developers to debug & get familiar with the Microdroid execution environment. This is an attempt at relanding aosp/I622e3d95d9d8fd6d26bfb690499acf7208ca4d52 Bug: 265261525 Test: atest MicrodroidTestApp Change-Id: Id826bd46f6fcf2ed1cf64710cfa057ffe7036ef8

commit: 29e15c83d1cbfe0db7c5c2e7dacfbc2bb53f6b84 [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Sat Feb 25 02:31:51 2023 +0000
committer: Nikita Ioffe <ioffe@google.com> Mon Feb 27 17:47:05 2023 +0000
tree: 136ad3ad2de56585e4b19219a92d11130690f90e
parent: a12763c7e2c7cbcff00242e02726b5ce3c3c65a5 [diff]
diff --git a/microdroid/init.rc b/microdroid/init.rc
index ce0cab4..70c22d4 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc

@@ -98,7 +98,7 @@
     mount rootfs rootfs / remount bind ro nodev
 
     # TODO(b/185767624): change the hard-coded size?
-    mount tmpfs tmpfs /data noatime nosuid nodev rw size=128M
+    mount tmpfs tmpfs /data noatime nosuid nodev noexec rw size=128M
 
     # We chown/chmod /data again so because mount is run as root + defaults
     chown system system /data
commit	29e15c83d1cbfe0db7c5c2e7dacfbc2bb53f6b84	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Sat Feb 25 02:31:51 2023 +0000
committer	Nikita Ioffe <ioffe@google.com>	Mon Feb 27 17:47:05 2023 +0000
tree	136ad3ad2de56585e4b19219a92d11130690f90e
parent	a12763c7e2c7cbcff00242e02726b5ce3c3c65a5 [diff]