Restrict making memory executable

All code must reside in files.

Bug: 204853211
Test: Builds, no neverallow violations
Change-Id: I124a4c567fff76e143582e189b8cb9feeae5d7d0
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index c852268..2329a1d 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -271,6 +271,14 @@
 # Properties that microdroid doesn't have but some still want to read.
 dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
 
+###
+### neverallow rules
+###
+
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 neverallow domain device:chr_file { open read write };
+
+# No executable memory unless backed by an unmodified file
+neverallow * self:process { execmem execheap execstack };
+neverallow * *:file execmod;