sysfs-selinux-checkreqprot (1273B)
1What: /sys/fs/selinux/checkreqprot 2Date: April 2005 (predates git) 3KernelVersion: 2.6.12-rc2 (predates git) 4Contact: selinux@vger.kernel.org 5Description: 6 7 The selinuxfs "checkreqprot" node allows SELinux to be configured 8 to check the protection requested by userspace for mmap/mprotect 9 calls instead of the actual protection applied by the kernel. 10 This was a compatibility mechanism for legacy userspace and 11 for the READ_IMPLIES_EXEC personality flag. However, if set to 12 1, it weakens security by allowing mappings to be made executable 13 without authorization by policy. The default value of checkreqprot 14 at boot was changed starting in Linux v4.4 to 0 (i.e. check the 15 actual protection), and Android and Linux distributions have been 16 explicitly writing a "0" to /sys/fs/selinux/checkreqprot during 17 initialization for some time. Support for setting checkreqprot to 1 18 will be removed no sooner than June 2021, at which point the kernel 19 will always cease using checkreqprot internally and will always 20 check the actual protections being applied upon mmap/mprotect calls. 21 The checkreqprot selinuxfs node will remain for backward compatibility 22 but will discard writes of the "0" value and will reject writes of the 23 "1" value when this mechanism is removed.