Daniel J Walsh wrote: >Here is the request from upstream to enable this feature in Rawhide, >with an explanation of what it does. > >> "Android is starting to apply execmem and friends to the non-Dalvik >> components (i.e. non-Java components, primarily the native system >> daemons). As part of that, I uploaded a change to effectively echo 0 >> > /sys/fs/selinux/checkreqprot so that we always check the actual >> > protection >> flags applied by the kernel rather than only checking what the >> application requested. >> >> Originally checkreqprot was to support legacy applications that had >> no PT_GNU_STACK marking or were marked with PT_GNU_STACK RWE, so >> that we wouldn't have to add execute permission pervasively to >> policy for such applications. But it effectively provides a way to >> bypass policy by creating such an application, and as I later >> discovered, just by calling personality(READ_IMPLIES_EXEC) from an >> application at any time. The simplest way to eliminate that bypass >> comprehensively is to change the defaults for checkreqprot. >> >> I think this is likely safe in Fedora since you now allow execmem by >> default to most domains. Can we get the same change applied in >> Fedora, either by changing the default kernel configuration >> (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0) or by putting >> something in an init script to set the /sys/fs/selinux/checkreqprot >> value? I'm afraid all I understand of that explanation is that this has something to do with executable stacks. How does the proposed change affect programs that need an executable stack? Björn Persson
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
