sysfs-selinux-checkreqprot 1.25 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
What:		/sys/fs/selinux/checkreqprot
Date:		April 2005 (predates git)
KernelVersion:	2.6.12-rc2 (predates git)
Contact:	selinux@vger.kernel.org
Description:

	The selinuxfs "checkreqprot" node allows SELinux to be configured
	to check the protection requested by userspace for mmap/mprotect
	calls instead of the actual protection applied by the kernel.
	This was a compatibility mechanism for legacy userspace and
	for the READ_IMPLIES_EXEC personality flag.  However, if set to
	1, it weakens security by allowing mappings to be made executable
	without authorization by policy.  The default value of checkreqprot
	at boot was changed starting in Linux v4.4 to 0 (i.e. check the
	actual protection), and Android and Linux distributions have been
	explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
	initialization for some time.  Support for setting checkreqprot to 1
	will be	removed in a future kernel release, at which point the kernel
	will always cease using checkreqprot internally and will always
	check the actual protections being applied upon mmap/mprotect calls.
	The checkreqprot selinuxfs node will remain for backward compatibility
	but will discard writes of the "0" value and will reject writes of the
	"1" value when this mechanism is removed.