Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5e1461dc authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 



If checkreqprot == 1, SELinux only checks the protection flags passed
by the application, even if the kernel internally adds PROT_EXEC for
READ_IMPLIES_EXEC personality flags.  Switch to checkreqprot == 0
to check the final protection flags applied by the kernel.

Change-Id: Ic39242bbbd104fc9a1bcf2cd2ded7ce1aeadfac4
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent cd8b953e

rootdir/init.rc

+3 −0
Original line number Diff line number Diff line
@@ -13,6 +13,9 @@ on early-init 
    # Set init and its forked children's oom_adj.

    write /proc/1/oom_adj -16



    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.

    write /sys/fs/selinux/checkreqprot 0



    # Set the security context for the init process.

    # This should occur before anything else (e.g. ueventd) is started.

    setcon u:r:init:s0