-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2014 02:11 PM, Björn Persson wrote: > Daniel J Walsh wrote: >> Here is the request from upstream to enable this feature in Rawhide, with >> an explanation of what it does. >> >>> "Android is starting to apply execmem and friends to the non-Dalvik >>> components (i.e. non-Java components, primarily the native system >>> daemons). As part of that, I uploaded a change to effectively echo 0 >>>> /sys/fs/selinux/checkreqprot so that we always check the actual >>>> protection >>> flags applied by the kernel rather than only checking what the >>> application requested. >>> >>> Originally checkreqprot was to support legacy applications that had no >>> PT_GNU_STACK marking or were marked with PT_GNU_STACK RWE, so that we >>> wouldn't have to add execute permission pervasively to policy for such >>> applications. But it effectively provides a way to bypass policy by >>> creating such an application, and as I later discovered, just by >>> calling personality(READ_IMPLIES_EXEC) from an application at any time. >>> The simplest way to eliminate that bypass comprehensively is to change >>> the defaults for checkreqprot. >>> >>> I think this is likely safe in Fedora since you now allow execmem by >>> default to most domains. Can we get the same change applied in Fedora, >>> either by changing the default kernel configuration >>> (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0) or by putting something >>> in an init script to set the /sys/fs/selinux/checkreqprot value? > > I'm afraid all I understand of that explanation is that this has something > to do with executable stacks. How does the proposed change affect programs > that need an executable stack? > > Björn Persson > > > No, we pretty much allow executable stack/memory from user processes now and block it for most daemons, except for those that need it. My understanding of this change is that the kernel was not doing complete checking, but most apps at this point do the right thing. We will turn it on in Rawhide and through the beta. If we see problems we will revert. It is now a one line change in # grep check /lib/tmpfiles.d/selinux-policy.conf w /sys/fs/selinux/checkreqprot 1 I believe you can revert it by adding echo "w /sys/fs/selinux/checkreqprot 0" >> /etc/tmpfiles.d/selinux-policy.conf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLivPsACgkQrlYvE4MpobMODQCgxDzqQZEwAVB3PeLPkDB5t4jI FFcAnRpPxMSQO1ymoxEsDaxU64qCGxMq =oI08 -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
