linux/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
<<
>>
Prefs
   1What:           /sys/fs/selinux/checkreqprot
   2Date:           April 2005 (predates git)
   3KernelVersion:  2.6.12-rc2 (predates git)
   4Contact:        selinux@vger.kernel.org
   5Description:
   6
   7        The selinuxfs "checkreqprot" node allows SELinux to be configured
   8        to check the protection requested by userspace for mmap/mprotect
   9        calls instead of the actual protection applied by the kernel.
  10        This was a compatibility mechanism for legacy userspace and
  11        for the READ_IMPLIES_EXEC personality flag.  However, if set to
  12        1, it weakens security by allowing mappings to be made executable
  13        without authorization by policy.  The default value of checkreqprot
  14        at boot was changed starting in Linux v4.4 to 0 (i.e. check the
  15        actual protection), and Android and Linux distributions have been
  16        explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
  17        initialization for some time.  Support for setting checkreqprot to 1
  18        will be removed no sooner than June 2021, at which point the kernel
  19        will always cease using checkreqprot internally and will always
  20        check the actual protections being applied upon mmap/mprotect calls.
  21        The checkreqprot selinuxfs node will remain for backward compatibility
  22        but will discard writes of the "0" value and will reject writes of the
  23        "1" value when this mechanism is removed.
  24