UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/security
History
Stephen Smalley e9c38f9fc2 Documentation,selinux: deprecate setting checkreqprot to 1 
Deprecate setting the SELinux checkreqprot tunable to 1 via kernel
parameter or /sys/fs/selinux/checkreqprot.  Setting it to 0 is left
intact for compatibility since Android and some Linux distributions
do so for security and treat an inability to set it as a fatal error.
Eventually setting it to 0 will become a no-op and the kernel will
stop using checkreqprot's value internally altogether.

checkreqprot was originally introduced as a compatibility mechanism
for legacy userspace and the READ_IMPLIES_EXEC personality flag.
However, if set to 1, it weakens security by allowing mappings to be
made executable without authorization by policy.  The default value
for the SECURITY_SELINUX_CHECKREQPROT_VALUE config option was changed
from 1 to 0 in commit 2a35d196c1 ("selinux: change
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and both Android
and Linux distributions began explicitly setting
/sys/fs/selinux/checkreqprot to 0 some time ago.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
 		2020-02-10 10:49:01 -05:00
..
apparmor linux-kselftest-5.6-rc1-kunit 2020-01-29 15:25:34 -08:00
integrity Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 2020-01-28 18:52:09 -08:00
keys Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 2020-01-28 18:52:09 -08:00
loadpin proc/sysctl: add shared variables for range check 2019-07-18 17:08:07 -07:00
lockdown security,lockdown,selinux: implement SELinux lockdown 2019-12-09 17:53:58 -05:00
safesetid security/safesetid: Replace rcu_swap_protected() with rcu_replace_pointer() 2019-10-30 08:45:57 -07:00
selinux Documentation,selinux: deprecate setting checkreqprot to 1 2020-02-10 10:49:01 -05:00
smack Merge branch 'merge.nfs-fs_parse.1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-02-08 13:26:41 -08:00
tomoyo tomoyo: Use atomic_t for statistics counter 2020-01-02 12:53:49 +09:00
yama proc/sysctl: add shared variables for range check 2019-07-18 17:08:07 -07:00
Kconfig Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-09-28 08:14:15 -07:00
Kconfig.hardening meminit fix 2019-07-28 12:33:15 -07:00
Makefile security: only build lsm_audit if CONFIG_SECURITY=y 2019-12-10 13:51:42 -05:00
commoncap.c Merge branch 'next-lsm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-07-09 12:24:21 -07:00
device_cgroup.c device_cgroup: Export devcgroup_check_permission 2019-10-07 15:11:38 -05:00
inode.c Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
lsm_audit.c security,lockdown,selinux: implement SELinux lockdown 2019-12-09 17:53:58 -05:00
min_addr.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
security.c Merge branch 'for-v5.6' of git://git.kernel.org:/pub/scm/linux/kernel/git/jmorris/linux-security 2020-01-28 18:55:17 -08:00