1e9c38f9fSStephen SmalleyWhat: /sys/fs/selinux/checkreqprot 2e9c38f9fSStephen SmalleyDate: April 2005 (predates git) 3e9c38f9fSStephen SmalleyKernelVersion: 2.6.12-rc2 (predates git) 4e9c38f9fSStephen SmalleyContact: selinux@vger.kernel.org 5e9c38f9fSStephen SmalleyDescription: 6e9c38f9fSStephen Smalley 7*a7e4676eSPaul Moore REMOVAL UPDATE: The SELinux checkreqprot functionality was removed in 8*a7e4676eSPaul Moore March 2023, the original deprecation notice is shown below. 9*a7e4676eSPaul Moore 10e9c38f9fSStephen Smalley The selinuxfs "checkreqprot" node allows SELinux to be configured 11e9c38f9fSStephen Smalley to check the protection requested by userspace for mmap/mprotect 12e9c38f9fSStephen Smalley calls instead of the actual protection applied by the kernel. 13e9c38f9fSStephen Smalley This was a compatibility mechanism for legacy userspace and 14e9c38f9fSStephen Smalley for the READ_IMPLIES_EXEC personality flag. However, if set to 15e9c38f9fSStephen Smalley 1, it weakens security by allowing mappings to be made executable 16e9c38f9fSStephen Smalley without authorization by policy. The default value of checkreqprot 17e9c38f9fSStephen Smalley at boot was changed starting in Linux v4.4 to 0 (i.e. check the 18e9c38f9fSStephen Smalley actual protection), and Android and Linux distributions have been 19e9c38f9fSStephen Smalley explicitly writing a "0" to /sys/fs/selinux/checkreqprot during 20e9c38f9fSStephen Smalley initialization for some time. Support for setting checkreqprot to 1 210d50f059SPaul Moore will be removed no sooner than June 2021, at which point the kernel 22e9c38f9fSStephen Smalley will always cease using checkreqprot internally and will always 23e9c38f9fSStephen Smalley check the actual protections being applied upon mmap/mprotect calls. 24e9c38f9fSStephen Smalley The checkreqprot selinuxfs node will remain for backward compatibility 25e9c38f9fSStephen Smalley but will discard writes of the "0" value and will reject writes of the 26e9c38f9fSStephen Smalley "1" value when this mechanism is removed. 27