18c2ecf20Sopenharmony_ciWhat: /sys/fs/selinux/checkreqprot 28c2ecf20Sopenharmony_ciDate: April 2005 (predates git) 38c2ecf20Sopenharmony_ciKernelVersion: 2.6.12-rc2 (predates git) 48c2ecf20Sopenharmony_ciContact: selinux@vger.kernel.org 58c2ecf20Sopenharmony_ciDescription: 68c2ecf20Sopenharmony_ci 78c2ecf20Sopenharmony_ci The selinuxfs "checkreqprot" node allows SELinux to be configured 88c2ecf20Sopenharmony_ci to check the protection requested by userspace for mmap/mprotect 98c2ecf20Sopenharmony_ci calls instead of the actual protection applied by the kernel. 108c2ecf20Sopenharmony_ci This was a compatibility mechanism for legacy userspace and 118c2ecf20Sopenharmony_ci for the READ_IMPLIES_EXEC personality flag. However, if set to 128c2ecf20Sopenharmony_ci 1, it weakens security by allowing mappings to be made executable 138c2ecf20Sopenharmony_ci without authorization by policy. The default value of checkreqprot 148c2ecf20Sopenharmony_ci at boot was changed starting in Linux v4.4 to 0 (i.e. check the 158c2ecf20Sopenharmony_ci actual protection), and Android and Linux distributions have been 168c2ecf20Sopenharmony_ci explicitly writing a "0" to /sys/fs/selinux/checkreqprot during 178c2ecf20Sopenharmony_ci initialization for some time. Support for setting checkreqprot to 1 188c2ecf20Sopenharmony_ci will be removed no sooner than June 2021, at which point the kernel 198c2ecf20Sopenharmony_ci will always cease using checkreqprot internally and will always 208c2ecf20Sopenharmony_ci check the actual protections being applied upon mmap/mprotect calls. 218c2ecf20Sopenharmony_ci The checkreqprot selinuxfs node will remain for backward compatibility 228c2ecf20Sopenharmony_ci but will discard writes of the "0" value and will reject writes of the 238c2ecf20Sopenharmony_ci "1" value when this mechanism is removed. 24