Hi Jeff, On 10/4/24 9:31 AM, jeffxu@xxxxxxxxxxxx wrote: > From: Jeff Xu <jeffxu@xxxxxxxxxxxx> > > Seal vdso, vvar, sigpage, uprobes and vsyscall. > > > Signed-off-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> > --- > .../admin-guide/kernel-parameters.txt | 9 ++++ > arch/x86/entry/vsyscall/vsyscall_64.c | 9 +++- > fs/exec.c | 53 +++++++++++++++++++ > include/linux/fs.h | 1 + > mm/mmap.c | 1 + > security/Kconfig | 26 +++++++++ > 6 files changed, 97 insertions(+), 2 deletions(-) > > diff --git a/security/Kconfig b/security/Kconfig > index 28e685f53bd1..e289fbb5d676 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -51,6 +51,32 @@ config PROC_MEM_NO_FORCE > > endchoice > > +choice > + prompt "Seal system mappings" > + default SEAL_SYSTEM_MAPPINGS_NEVER > + help > + Seal system mappings such as vdso, vvar, sigpage, uprobes and > + vsyscall. > + Note: kernel command line exec.seal_system_mappings overwrite this. overwrites > + > +config SEAL_SYSTEM_MAPPINGS_NEVER > + bool "Traditional behavior - not sealed" > + help > + Do not seal system mappings. > + This is default. > + > +config SEAL_SYSTEM_MAPPINGS_ALWAYS > + bool "Always seal system mappings" > + depends on 64BIT > + depends on !CHECKPOINT_RESTORE > + help > + Seal system mappings such as vdso, vvar, sigpage, uprobes and > + vsyscall. > + Note: CHECKPOINT_RESTORE might relocate vdso mapping during restore, > + and remap will fail if the mapping is sealed, therefore > + !CHECKPOINT_RESTORE is added as dependency. > +endchoice > + > config SECURITY > bool "Enable different security models" > depends on SYSFS -- ~Randy
