Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.

If checkreqprot == 1, SELinux only checks the protection flags passed by the application, even if the kernel internally adds PROT_EXEC for READ_IMPLIES_EXEC personality flags. Switch to checkreqprot == 0 to check the final protection flags applied by the kernel. Change-Id: Ic39242bbbd104fc9a1bcf2cd2ded7ce1aeadfac4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-23 16:26:46 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-23 16:29:25 -0500
commit: 5e1461dc906f68f6590df1c79f2f4d69e0af18c5 (patch)
tree: 3d0ce3a643c3cec7ab6d803c9be1aa0089ddce19
parent: cd8b953ede50f68dff5ea049e72aee130dc4a3cb (diff)
download: system_core-5e1461dc906f68f6590df1c79f2f4d69e0af18c5.zip
system_core-5e1461dc906f68f6590df1c79f2f4d69e0af18c5.tar.gz
system_core-5e1461dc906f68f6590df1c79f2f4d69e0af18c5.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 9706c89..50cbbfe 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -13,6 +13,9 @@ on early-init
     # Set init and its forked children's oom_adj.
     write /proc/1/oom_adj -16
 
+    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
+    write /sys/fs/selinux/checkreqprot 0
+
     # Set the security context for the init process.
     # This should occur before anything else (e.g. ueventd) is started.
     setcon u:r:init:s0
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-23 16:26:46 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-23 16:29:25 -0500
commit	5e1461dc906f68f6590df1c79f2f4d69e0af18c5 (patch)
tree	3d0ce3a643c3cec7ab6d803c9be1aa0089ddce19
parent	cd8b953ede50f68dff5ea049e72aee130dc4a3cb (diff)
download	system_core-5e1461dc906f68f6590df1c79f2f4d69e0af18c5.zip system_core-5e1461dc906f68f6590df1c79f2f4d69e0af18c5.tar.gz system_core-5e1461dc906f68f6590df1c79f2f4d69e0af18c5.tar.bz2