openkylin
/
platform_system_core
mirror of https://gitee.com/openkylin/platform_system_core.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 

If checkreqprot == 1, SELinux only checks the protection flags passed
by the application, even if the kernel internally adds PROT_EXEC for
READ_IMPLIES_EXEC personality flags.  Switch to checkreqprot == 0
to check the final protection flags applied by the kernel.

Change-Id: Ic39242bbbd104fc9a1bcf2cd2ded7ce1aeadfac4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2013-12-23 16:26:46 -05:00
parent cd8b953ede
commit 5e1461dc90
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rootdir/init.rc
View File

@ -13,6 +13,9 @@ on early-init
# Set init and its forked children's oom_adj.
write /proc/1/oom_adj -16
# Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
write /sys/fs/selinux/checkreqprot 0
# Set the security context for the init process.
# This should occur before anything else (e.g. ueventd) is started.
setcon u:r:init:s0