Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. If checkreqprot == 1, SELinux only checks the protection flags passed by the application, even if the kernel internally adds PROT_EXEC for READ_IMPLIES_EXEC personality flags. Switch to checkreqprot == 0 to check the final protection flags applied by the kernel. Change-Id: Ic39242bbbd104fc9a1bcf2cd2ded7ce1aeadfac4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 5e1461dc906f68f6590df1c79f2f4d69e0af18c5 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Mon Dec 23 16:26:46 2013 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> Mon Dec 23 16:29:25 2013 -0500
tree: 3d0ce3a643c3cec7ab6d803c9be1aa0089ddce19
parent: cd8b953ede50f68dff5ea049e72aee130dc4a3cb [diff] [blame]
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 9706c89..50cbbfe 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -13,6 +13,9 @@
     # Set init and its forked children's oom_adj.
     write /proc/1/oom_adj -16
 
+    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
+    write /sys/fs/selinux/checkreqprot 0
+
     # Set the security context for the init process.
     # This should occur before anything else (e.g. ueventd) is started.
     setcon u:r:init:s0
commit	5e1461dc906f68f6590df1c79f2f4d69e0af18c5	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Mon Dec 23 16:26:46 2013 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	Mon Dec 23 16:29:25 2013 -0500
tree	3d0ce3a643c3cec7ab6d803c9be1aa0089ddce19
parent	cd8b953ede50f68dff5ea049e72aee130dc4a3cb [diff] [blame]