DEPRECATE checkreqprot

NOTE: This page is a work in progress.

The checkreqprot flag was originally introduced as a compatibility mechanism for legacy userspace and the READ_IMPLIES_EXEC personality flag. However, if set to 1, it weakens security by allowing memory mappings to be made executable without authorization by policy.

This tunable could be toggled at kernel build-time with the CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE kernel configuration setting or at run-time with "/sys/fs/selinux/checkreqprot".

Setting checkreqprot to 1 was deprecated with Linux 5.7 and the default value was changed from 1 to 0.

If you encounter suspicious and excessive read and execmem events then that may be due to lack of support for this functionality by your chip set and/or wrong configuration of your kernel.

These events were for example reported with Qualcomm chip sets:

avc:  denied  { execmem } for  pid=542 comm="ip" scontext=u:r:ip.subj tcontext=u:r:ip.subj tclass=process permissive=0
avc:  denied  { execute } for  pid=2635 comm="modprobe" path="/lib/modules/5.4.155/aead.ko" dev="overlay" ino=1112 scontext=u:r:kmodloader.subj tcontext=u:r:file.modulesfile tclass=file permissive=0

CITATION NEEDED This is because Kernels for Qualcomm chip sets have to be configured with CONFIG_STRICT_MEMORY_RWX=y because they do not support CONFIG_STRICT_KERNEL_RWX=y.