162306a36Sopenharmony_ciWhat: /sys/fs/selinux/checkreqprot 262306a36Sopenharmony_ciDate: April 2005 (predates git) 362306a36Sopenharmony_ciKernelVersion: 2.6.12-rc2 (predates git) 462306a36Sopenharmony_ciContact: selinux@vger.kernel.org 562306a36Sopenharmony_ciDescription: 662306a36Sopenharmony_ci 762306a36Sopenharmony_ci REMOVAL UPDATE: The SELinux checkreqprot functionality was removed in 862306a36Sopenharmony_ci March 2023, the original deprecation notice is shown below. 962306a36Sopenharmony_ci 1062306a36Sopenharmony_ci The selinuxfs "checkreqprot" node allows SELinux to be configured 1162306a36Sopenharmony_ci to check the protection requested by userspace for mmap/mprotect 1262306a36Sopenharmony_ci calls instead of the actual protection applied by the kernel. 1362306a36Sopenharmony_ci This was a compatibility mechanism for legacy userspace and 1462306a36Sopenharmony_ci for the READ_IMPLIES_EXEC personality flag. However, if set to 1562306a36Sopenharmony_ci 1, it weakens security by allowing mappings to be made executable 1662306a36Sopenharmony_ci without authorization by policy. The default value of checkreqprot 1762306a36Sopenharmony_ci at boot was changed starting in Linux v4.4 to 0 (i.e. check the 1862306a36Sopenharmony_ci actual protection), and Android and Linux distributions have been 1962306a36Sopenharmony_ci explicitly writing a "0" to /sys/fs/selinux/checkreqprot during 2062306a36Sopenharmony_ci initialization for some time. Support for setting checkreqprot to 1 2162306a36Sopenharmony_ci will be removed no sooner than June 2021, at which point the kernel 2262306a36Sopenharmony_ci will always cease using checkreqprot internally and will always 2362306a36Sopenharmony_ci check the actual protections being applied upon mmap/mprotect calls. 2462306a36Sopenharmony_ci The checkreqprot selinuxfs node will remain for backward compatibility 2562306a36Sopenharmony_ci but will discard writes of the "0" value and will reject writes of the 2662306a36Sopenharmony_ci "1" value when this mechanism is removed. 27