I want to turn on a part of the kernel to make SELinux checking more stringent.

[Björn Persson]

Daniel J Walsh wrote:
>Here is the request from upstream to enable this feature in Rawhide,
>with an explanation of what it does.
>
>> "Android is starting to apply execmem and friends to the non-Dalvik 
>> components (i.e. non-Java components, primarily the native system
>> daemons). As part of that, I uploaded a change to effectively echo 0
>> > /sys/fs/selinux/checkreqprot so that we always check the actual
>> > protection 
>> flags applied by the kernel rather than only checking what the
>> application requested.
>> 
>> Originally checkreqprot was to support legacy applications that had
>> no PT_GNU_STACK marking or were marked with PT_GNU_STACK RWE, so
>> that we wouldn't have to add execute permission pervasively to
>> policy for such applications.  But it effectively provides a way to
>> bypass policy by creating such an application, and as I later
>> discovered, just by calling personality(READ_IMPLIES_EXEC) from an
>> application at any time. The simplest way to eliminate that bypass
>> comprehensively is to change the defaults for checkreqprot.
>> 
>> I think this is likely safe in Fedora since you now allow execmem by
>> default to most domains.  Can we get the same change applied in
>> Fedora, either by changing the default kernel configuration 
>> (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0) or by putting
>> something in an init script to set the /sys/fs/selinux/checkreqprot
>> value?  

I'm afraid all I understand of that explanation is that this has
something to do with executable stacks. How does the proposed change
affect programs that need an executable stack?

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140124/af2bbebb/attachment.sig>