Restrict making memory executable
All code must reside in files.
Bug: 204853211
Test: Builds, no neverallow violations
Change-Id: I124a4c567fff76e143582e189b8cb9feeae5d7d0
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index c852268..2329a1d 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -271,6 +271,14 @@
# Properties that microdroid doesn't have but some still want to read.
dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
+###
+### neverallow rules
+###
+
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };
+
+# No executable memory unless backed by an unmodified file
+neverallow * self:process { execmem execheap execstack };
+neverallow * *:file execmod;