I want to turn on a part of the kernel to make SELinux checking more stringent.
bjorn at xn--rombobjrn-67a.se
Fri Jan 24 19:11:42 UTC 2014
Daniel J Walsh wrote:
>Here is the request from upstream to enable this feature in Rawhide,
>with an explanation of what it does.
>> "Android is starting to apply execmem and friends to the non-Dalvik
>> components (i.e. non-Java components, primarily the native system
>> daemons). As part of that, I uploaded a change to effectively echo 0
>> > /sys/fs/selinux/checkreqprot so that we always check the actual
>> > protection
>> flags applied by the kernel rather than only checking what the
>> application requested.
>> Originally checkreqprot was to support legacy applications that had
>> no PT_GNU_STACK marking or were marked with PT_GNU_STACK RWE, so
>> that we wouldn't have to add execute permission pervasively to
>> policy for such applications. But it effectively provides a way to
>> bypass policy by creating such an application, and as I later
>> discovered, just by calling personality(READ_IMPLIES_EXEC) from an
>> application at any time. The simplest way to eliminate that bypass
>> comprehensively is to change the defaults for checkreqprot.
>> I think this is likely safe in Fedora since you now allow execmem by
>> default to most domains. Can we get the same change applied in
>> Fedora, either by changing the default kernel configuration
>> (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0) or by putting
>> something in an init script to set the /sys/fs/selinux/checkreqprot
I'm afraid all I understand of that explanation is that this has
something to do with executable stacks. How does the proposed change
affect programs that need an executable stack?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: not available
More information about the devel