> The problem you seem to have with fully locked mseal() in chrome seems > to be here: > > > about permission changes but sometimes we do need to mprotect data only > > pages. > > Does that data have to be in the same region? Can your allocator not > put the non-code pieces of the JIT elsewhere, with a different > permission, fully immutable / msealed -- and perhaps even managed with a > different PKEY if neccessary? No we can't. We investigated this extensively since this also poses some difficulties on MacOS. We implemented different approaches but any such change to the allocator introduces too much of a performance impact.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature