On Wed, Dec 07, 2022 at 03:49:34PM +0000, jeffxu@xxxxxxxxxxxx wrote: > From: Daniel Verkamp <dverkamp@xxxxxxxxxxxx> > > The new F_SEAL_EXEC flag will prevent modification of the exec bits: > written as traditional octal mask, 0111, or as named flags, S_IXUSR | > S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify > any of these bits after the seal is applied will fail with errno EPERM. > > This will preserve the execute bits as they are at the time of sealing, > so the memfd will become either permanently executable or permanently > un-executable. > > Signed-off-by: Daniel Verkamp <dverkamp@xxxxxxxxxxxx> > Co-developed-by: Jeff Xu <jeffxu@xxxxxxxxxx> > Signed-off-by: Jeff Xu <jeffxu@xxxxxxxxxx> It looks like my Reviewed-by: tag was dropped? https://lore.kernel.org/lkml/202212021443.0F684E33@keescook/ This patch is unchanged, so please carry forward any review/ack/tested tags, etc. But for the bots: Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> -- Kees Cook
