On Tue, Jan 14, 2025 at 2:42 PM Isaac Manjarres <isaacmanjarres@xxxxxxxxxx> wrote: > > On Tue, Jan 14, 2025 at 01:29:44PM -0800, Kees Cook wrote: > > On Tue, Jan 14, 2025 at 12:02:28PM -0800, Isaac Manjarres wrote: > Alternatively, MFD_NOEXEC_SEAL could be extended > to prevent executable mappings, and MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED > could be enabled, but that type of system would prevent memfd buffers > from being used for execution for legitimate usecases (e.g. JIT), which > may not be desirable. > The JIT case doesn't use execve(memfd), right ? > --Isaac
