* Szabolcs Nagy: > Re-mmap executable segments if possible instead of using mprotect > to add PROT_BTI. This allows using BTI protection with security > policies that prevent mprotect with PROT_EXEC. > > If the fd of the ELF module is not available because it was kernel > mapped then mprotect is used and failures are ignored. It is > expected that linux kernel will add PROT_BTI when mapping a module > (current linux as of version 5.9 does not do this). > > Computing the mapping parameters follows the logic of > _dl_map_object_from_fd more closely now. What's the performance of this on execve-heavy workloads, such as kernel or glibc builds? Hopefully it's cheap because these mappings have not been faulted in yet. Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill