Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) What:		/sys/fs/selinux/checkreqprot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) Date:		April 2005 (predates git)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) KernelVersion:	2.6.12-rc2 (predates git)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) Contact:	selinux@vger.kernel.org
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) 	The selinuxfs "checkreqprot" node allows SELinux to be configured
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) 	to check the protection requested by userspace for mmap/mprotect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) 	calls instead of the actual protection applied by the kernel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) 	This was a compatibility mechanism for legacy userspace and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) 	for the READ_IMPLIES_EXEC personality flag.  However, if set to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) 	1, it weakens security by allowing mappings to be made executable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) 	without authorization by policy.  The default value of checkreqprot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) 	at boot was changed starting in Linux v4.4 to 0 (i.e. check the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) 	actual protection), and Android and Linux distributions have been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) 	explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) 	initialization for some time.  Support for setting checkreqprot to 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) 	will be	removed no sooner than June 2021, at which point the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) 	will always cease using checkreqprot internally and will always
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) 	check the actual protections being applied upon mmap/mprotect calls.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 	The checkreqprot selinuxfs node will remain for backward compatibility
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) 	but will discard writes of the "0" value and will reject writes of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) 	"1" value when this mechanism is removed.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.