diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ad725213f5685f681c9dfe3aed8f73a1a2cb3d19..932eef18db337293badeb4bf7c96471dcbf7e0e7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2477,6 +2477,17 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
prot = reqprot;
#ifndef CONFIG_PPC32
+ if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
+ (vma->vm_start >= vma->vm_mm->start_brk &&
+ vma->vm_end <= vma->vm_mm->brk)) {
+ /*
+ * We are making an executable mapping in the brk region.
+ * This has an additional execheap check.
+ */
+ rc = task_has_perm(current, current, PROCESS__EXECHEAP);
+ if (rc)
+ return rc;
+ }
if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
/*
* We are making executable a file mapping that has
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index e81f0226c37dfc0eb30fd8afab75d079ca9e3a95..1deb59e1b76257dab1129f0050ce0f727aceeb30 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -71,6 +71,7 @@
S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
+ S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
S_(SECCLASS_MSG, MSG__SEND, "send")
S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 38ce18b3328461244606b15926e7c4a52552b5c4..a78b5d59c9fc008f638200a1764c3a1e2e7a646e 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -466,6 +466,7 @@
#define PROCESS__SETCURRENT 0x01000000UL
#define PROCESS__EXECMEM 0x02000000UL
#define PROCESS__EXECSTACK 0x04000000UL
+#define PROCESS__EXECHEAP 0x08000000UL
#define IPC__CREATE 0x00000001UL
#define IPC__DESTROY 0x00000002UL