Re: [RFC PATCH v1 1/2] mm/memfd: Add support for F_SEAL_FUTURE_EXEC to memfd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 14, 2025 at 3:41 PM Jeff Xu <jeffxu@xxxxxxxxxxxx> wrote:
>
> On Tue, Jan 14, 2025 at 2:42 PM Isaac Manjarres
> <isaacmanjarres@xxxxxxxxxx> wrote:
> >
> > On Tue, Jan 14, 2025 at 01:29:44PM -0800, Kees Cook wrote:
> > > On Tue, Jan 14, 2025 at 12:02:28PM -0800, Isaac Manjarres wrote:
>
> > Alternatively, MFD_NOEXEC_SEAL could be extended
> > to prevent executable mappings, and MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED
> > could be enabled, but that type of system would prevent memfd buffers
> > from being used for execution for legitimate usecases (e.g. JIT), which
> > may not be desirable.
> >
> The JIT case doesn't use execve(memfd), right ?
>
That might not be important.

I also think selinux policy will be a better option for this, There is
a pending work item to restrict/enforce MFD_NOEXEC_SEAL on
memfd_create().


>
>
> > --Isaac
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux