neverallow PROT_EXEC stack or heap. Despite removing these from AOSP policy they seem to still be present in device policies. Prohibit them via neverallow. We would also like to minimize execmem to only app domains and others using ART, but that will first require eliminating it from device-specific service domains (which may only have it due to prior incorrect handling of text relocations). Change-Id: Id1f49566779d9877835497d8ec7537abafadadc4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 5328d9749db00e8bbb0587913e5cc8bd8281db24 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Mon Jun 22 12:42:59 2015 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Tue Jun 23 18:47:52 2015 +0000
tree: db8952d3f04d64c3bf3c4bb9af4c3d7a77c00495
parent: 9c7570ef799616e683471ebdb22ee34a424a0aa0 [diff]
diff --git a/domain.te b/domain.te
index eda9091..ab31999 100644
--- a/domain.te
+++ b/domain.te

@@ -414,6 +414,11 @@
   -asec_public_file
 }:file execmod;
 
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow domain self:process { execstack execheap };
+
 # TODO: prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
 # neverallow { domain -appdomain } file_type:file execmod;
commit	5328d9749db00e8bbb0587913e5cc8bd8281db24	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Mon Jun 22 12:42:59 2015 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Tue Jun 23 18:47:52 2015 +0000
tree	db8952d3f04d64c3bf3c4bb9af4c3d7a77c00495
parent	9c7570ef799616e683471ebdb22ee34a424a0aa0 [diff]