I want to turn on a part of the kernel to make SELinux checking more stringent.
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 24 16:01:42 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is the request from upstream to enable this feature in Rawhide, with an
explanation of what it does.
> "Android is starting to apply execmem and friends to the non-Dalvik
> components (i.e. non-Java components, primarily the native system
> daemons). As part of that, I uploaded a change to effectively echo 0 >
> /sys/fs/selinux/checkreqprot so that we always check the actual protection
> flags applied by the kernel rather than only checking what the application
> requested.
>
> Originally checkreqprot was to support legacy applications that had no
> PT_GNU_STACK marking or were marked with PT_GNU_STACK RWE, so that we
> wouldn't have to add execute permission pervasively to policy for such
> applications. But it effectively provides a way to bypass policy by
> creating such an application, and as I later discovered, just by calling
> personality(READ_IMPLIES_EXEC) from an application at any time. The
> simplest way to eliminate that bypass comprehensively is to change the
> defaults for checkreqprot.
>
> I think this is likely safe in Fedora since you now allow execmem by
> default to most domains. Can we get the same change applied in Fedora,
> either by changing the default kernel configuration
> (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0) or by putting something in
> an init script to set the /sys/fs/selinux/checkreqprot value?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLijmYACgkQrlYvE4MpobP3GgCg0sGEjAuD7tKM+4aH3HkGOnJP
wuYAoJOfrvEjYm90uwUMpDIW0p7NfSel
=DOlV
-----END PGP SIGNATURE-----
More information about the devel
mailing list