DEPRECATE checkreqprot

NOTE: This page is a work in progress.

Checkreqprot was originally introduced as a compatibility mechanism for legacy userspace and the READ_IMPLIES_EXEC personality flag. However, if set to 1, it weakens security by allowing mappings to be made executable without authorization by policy.

This tunable could be toggled at build-time with the CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE kernel parameter or at run-time with "/sys/fs/selinux/checkreqprot".

Setting checkreqprot to 1 was deprecated with Linux 5.7 and the default value was changed from 1 to 0.

If you encounter suspicious and excessive read and execmem events then that may be due to lack of support for this functionality by your chip set and/or wrong configuration of your kernel.

These events were for example reported with Qualcomm chip sets:

avc:  denied  { execmem } for  pid=542 comm="ip" scontext=u:r:ip.subj tcontext=u:r:ip.subj tclass=process permissive=0
avc:  denied  { execute } for  pid=2635 comm="modprobe" path="/lib/modules/5.4.155/aead.ko" dev="overlay" ino=1112 scontext=u:r:kmodloader.subj tcontext=u:r:file.modulesfile tclass=file permissive=0

(citation needed) This is because Kernels for Qualcomm chip sets have to be configured with CONFIG_STRICT_MEMORY_RWX=y because they do not support CONFIG_STRICT_KERNEL_RWX=y.