Restrict making memory executable am: 26239da92b am: d747eafec0 am: e0e3814793 Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1913889 Change-Id: Id0213790caf36846fac42eab17ac0db96d0f1f51

commit: 9d78d3660b28f5464dd9109e76cd6d67e65b3c6d [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Wed Dec 08 17:17:22 2021 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Dec 08 17:17:22 2021 +0000
tree: 70bf7749cffbd9db63f91f3a4acaeff593b43133
parent: de9241aa582c539b1d83cd75905d97e3ed5d6b53 [diff]
parent: e0e3814793205873247f3ca74f82afa303833aaa [diff]
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index c852268..2329a1d 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te

@@ -271,6 +271,14 @@
 # Properties that microdroid doesn't have but some still want to read.
 dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
 
+###
+### neverallow rules
+###
+
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 neverallow domain device:chr_file { open read write };
+
+# No executable memory unless backed by an unmodified file
+neverallow * self:process { execmem execheap execstack };
+neverallow * *:file execmod;
commit	9d78d3660b28f5464dd9109e76cd6d67e65b3c6d	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Wed Dec 08 17:17:22 2021 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Wed Dec 08 17:17:22 2021 +0000
tree	70bf7749cffbd9db63f91f3a4acaeff593b43133
parent	de9241aa582c539b1d83cd75905d97e3ed5d6b53 [diff]
parent	e0e3814793205873247f3ca74f82afa303833aaa [diff]