On 04/08/2014 06:00 AM, Florian Weimer wrote: > On 03/19/2014 08:06 PM, David Herrmann wrote: > >> Unlike existing techniques that provide similar protection, sealing >> allows >> file-sharing without any trust-relationship. This is enforced by >> rejecting seal >> modifications if you don't own an exclusive reference to the given >> file. So if >> you own a file-descriptor, you can be sure that no-one besides you can >> modify >> the seals on the given file. This allows mapping shared files from >> untrusted >> parties without the fear of the file getting truncated or modified by an >> attacker. > > How do you keep these promises on network and FUSE file systems? Surely > there is still some trust involved for such descriptors? > > What happens if you create a loop device on a sealed descriptor? > > Why does memfd_create not create a file backed by a memory region in the > current process? Wouldn't this be a far more generic primitive? > Creating aliases of memory regions would be interesting for many things > (not just libffi bypassing SELinux-enforced NX restrictions :-). If you write a patch to prevent selinux from enforcing NX, I will ack that patch with all my might. I don't know how far it would get me, but I think that selinux has no business going anywhere near execmem. Adding a clone mode to mremap might be a better bet. But memfd solves that problem, too, albeit messily. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
