forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23 lines
1.2 KiB
23 lines
1.2 KiB
What: /sys/fs/selinux/checkreqprot |
|
Date: April 2005 (predates git) |
|
KernelVersion: 2.6.12-rc2 (predates git) |
|
Contact: [email protected] |
|
Description: |
|
|
|
The selinuxfs "checkreqprot" node allows SELinux to be configured |
|
to check the protection requested by userspace for mmap/mprotect |
|
calls instead of the actual protection applied by the kernel. |
|
This was a compatibility mechanism for legacy userspace and |
|
for the READ_IMPLIES_EXEC personality flag. However, if set to |
|
1, it weakens security by allowing mappings to be made executable |
|
without authorization by policy. The default value of checkreqprot |
|
at boot was changed starting in Linux v4.4 to 0 (i.e. check the |
|
actual protection), and Android and Linux distributions have been |
|
explicitly writing a "0" to /sys/fs/selinux/checkreqprot during |
|
initialization for some time. Support for setting checkreqprot to 1 |
|
will be removed no sooner than June 2021, at which point the kernel |
|
will always cease using checkreqprot internally and will always |
|
check the actual protections being applied upon mmap/mprotect calls. |
|
The checkreqprot selinuxfs node will remain for backward compatibility |
|
but will discard writes of the "0" value and will reject writes of the |
|
"1" value when this mechanism is removed.
|
|
|