Skip to content
Snippets Groups Projects
Commit 33edd308 authored by Daniel Cashman's avatar Daniel Cashman Committed by Gerrit Code Review
Browse files

Merge "neverallow PROT_EXEC stack or heap."

parents 7d65b547 5328d974
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 5 additions and 0 deletions
domain.te
+ 5
0
View file @ 33edd308
......@@ -414,6 +414,11 @@ neverallow domain {
-asec_public_file
}:file execmod;
# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
neverallow domain self:process { execstack execheap };
# TODO: prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
# neverallow { domain -appdomain } file_type:file execmod;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment