On Fri, Dec 02, 2022 at 01:33:59AM +0000, jeffxu@xxxxxxxxxxxx wrote: > From: Daniel Verkamp <dverkamp@xxxxxxxxxxxx> > > The new F_SEAL_EXEC flag will prevent modification of the exec bits: > written as traditional octal mask, 0111, or as named flags, S_IXUSR | > S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify > any of these bits after the seal is applied will fail with errno EPERM. > > This will preserve the execute bits as they are at the time of sealing, > so the memfd will become either permanently executable or permanently > un-executable. > > Co-developed-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> > Signed-off-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> > Signed-off-by: Daniel Verkamp <dverkamp@xxxxxxxxxxxx> Oh, one note on tag ordering here. Since you're sending it, I would expect this to read as: From: Daniel Verkamp <dverkamp@xxxxxxxxxxxx> ... Signed-off-by: Daniel Verkamp <dverkamp@xxxxxxxxxxxx> Co-developed-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> Signed-off-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> -- Kees Cook
