Documentation,selinux: deprecate setting checkreqprot to 1 (e9c38f9f) · Commits · 戴 / test

Documentation/ABI/obsolete/sysfs-selinux-checkreqprot

0 → 100644

+23 −0

Original line number	Diff line number	Diff line
		What: /sys/fs/selinux/checkreqprot
		Date: April 2005 (predates git)
		KernelVersion: 2.6.12-rc2 (predates git)
		Contact: selinux@vger.kernel.org
		Description:

		The selinuxfs "checkreqprot" node allows SELinux to be configured
		to check the protection requested by userspace for mmap/mprotect
		calls instead of the actual protection applied by the kernel.
		This was a compatibility mechanism for legacy userspace and
		for the READ_IMPLIES_EXEC personality flag. However, if set to
		1, it weakens security by allowing mappings to be made executable
		without authorization by policy. The default value of checkreqprot
		at boot was changed starting in Linux v4.4 to 0 (i.e. check the
		actual protection), and Android and Linux distributions have been
		explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
		initialization for some time. Support for setting checkreqprot to 1
		will be removed in a future kernel release, at which point the kernel
		will always cease using checkreqprot internally and will always
		check the actual protections being applied upon mmap/mprotect calls.
		The checkreqprot selinuxfs node will remain for backward compatibility
		but will discard writes of the "0" value and will reject writes of the
		"1" value when this mechanism is removed.

+1 −0

Original line number	Diff line number	Diff line
		@@ -518,6 +518,7 @@
		Default value is set via a kernel config option.
		Value can be changed at runtime via
		/sys/fs/selinux/checkreqprot.
		Setting checkreqprot to 1 is deprecated.

		cio_ignore= [S390]
		See Documentation/s390/common_io.rst for details.

+1 −0

Original line number	Diff line number	Diff line
		@@ -14986,6 +14986,7 @@ F: security/selinux/
		F: scripts/selinux/
		F: Documentation/admin-guide/LSM/SELinux.rst
		F: Documentation/ABI/obsolete/sysfs-selinux-disable
		F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot

		SENSABLE PHANTOM
		M: Jiri Slaby <jirislaby@gmail.com>

+3 −0

Original line number	Diff line number	Diff line
		@@ -88,6 +88,9 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
		'checkreqprot=' boot parameter. It may also be changed at runtime
		via /sys/fs/selinux/checkreqprot if authorized by policy.

		WARNING: this option is deprecated and will be removed in a future
		kernel release.

		If you are unsure how to answer this question, answer 0.

		config SECURITY_SELINUX_SIDTAB_HASH_BITS

+4 −1

Original line number	Diff line number	Diff line
		@@ -142,8 +142,11 @@ static int __init checkreqprot_setup(char *str)
		{
		unsigned long checkreqprot;

		if (!kstrtoul(str, 0, &checkreqprot))
		if (!kstrtoul(str, 0, &checkreqprot)) {
		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
		if (checkreqprot)
		pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
		}
		return 1;
		}
		__setup("checkreqprot=", checkreqprot_setup);