xref: /linux/Documentation/ABI/removed/sysfs-selinux-checkreqprot (revision 34dc1baba215b826e454b8d19e4f24adbeb7d00d)
1What:		/sys/fs/selinux/checkreqprot
2Date:		April 2005 (predates git)
3KernelVersion:	2.6.12-rc2 (predates git)
4Contact:	selinux@vger.kernel.org
5Description:
6
7	REMOVAL UPDATE: The SELinux checkreqprot functionality was removed in
8	March 2023, the original deprecation notice is shown below.
9
10	The selinuxfs "checkreqprot" node allows SELinux to be configured
11	to check the protection requested by userspace for mmap/mprotect
12	calls instead of the actual protection applied by the kernel.
13	This was a compatibility mechanism for legacy userspace and
14	for the READ_IMPLIES_EXEC personality flag.  However, if set to
15	1, it weakens security by allowing mappings to be made executable
16	without authorization by policy.  The default value of checkreqprot
17	at boot was changed starting in Linux v4.4 to 0 (i.e. check the
18	actual protection), and Android and Linux distributions have been
19	explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
20	initialization for some time.  Support for setting checkreqprot to 1
21	will be	removed no sooner than June 2021, at which point the kernel
22	will always cease using checkreqprot internally and will always
23	check the actual protections being applied upon mmap/mprotect calls.
24	The checkreqprot selinuxfs node will remain for backward compatibility
25	but will discard writes of the "0" value and will reject writes of the
26	"1" value when this mechanism is removed.
27