-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is the request from upstream to enable this feature in Rawhide, with an explanation of what it does. > "Android is starting to apply execmem and friends to the non-Dalvik > components (i.e. non-Java components, primarily the native system > daemons). As part of that, I uploaded a change to effectively echo 0 > > /sys/fs/selinux/checkreqprot so that we always check the actual protection > flags applied by the kernel rather than only checking what the application > requested. > > Originally checkreqprot was to support legacy applications that had no > PT_GNU_STACK marking or were marked with PT_GNU_STACK RWE, so that we > wouldn't have to add execute permission pervasively to policy for such > applications. But it effectively provides a way to bypass policy by > creating such an application, and as I later discovered, just by calling > personality(READ_IMPLIES_EXEC) from an application at any time. The > simplest way to eliminate that bypass comprehensively is to change the > defaults for checkreqprot. > > I think this is likely safe in Fedora since you now allow execmem by > default to most domains. Can we get the same change applied in Fedora, > either by changing the default kernel configuration > (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0) or by putting something in > an init script to set the /sys/fs/selinux/checkreqprot value? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLijmYACgkQrlYvE4MpobP3GgCg0sGEjAuD7tKM+4aH3HkGOnJP wuYAoJOfrvEjYm90uwUMpDIW0p7NfSel =DOlV -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
