On Mon, Oct 7, 2024 at 4:42 PM Randy Dunlap <rdunlap@xxxxxxxxxxxxx> wrote: > > Hi Jeff, > > On 10/4/24 9:31 AM, jeffxu@xxxxxxxxxxxx wrote: > > From: Jeff Xu <jeffxu@xxxxxxxxxxxx> > > > > Seal vdso, vvar, sigpage, uprobes and vsyscall. > > > > > > > Signed-off-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> > > --- > > .../admin-guide/kernel-parameters.txt | 9 ++++ > > arch/x86/entry/vsyscall/vsyscall_64.c | 9 +++- > > fs/exec.c | 53 +++++++++++++++++++ > > include/linux/fs.h | 1 + > > mm/mmap.c | 1 + > > security/Kconfig | 26 +++++++++ > > 6 files changed, 97 insertions(+), 2 deletions(-) > > > > > > diff --git a/security/Kconfig b/security/Kconfig > > index 28e685f53bd1..e289fbb5d676 100644 > > --- a/security/Kconfig > > +++ b/security/Kconfig > > @@ -51,6 +51,32 @@ config PROC_MEM_NO_FORCE > > > > endchoice > > > > +choice > > + prompt "Seal system mappings" > > + default SEAL_SYSTEM_MAPPINGS_NEVER > > + help > > + Seal system mappings such as vdso, vvar, sigpage, uprobes and > > + vsyscall. > > + Note: kernel command line exec.seal_system_mappings overwrite this. > > overwrites fixed. Thanks > > > + > > +config SEAL_SYSTEM_MAPPINGS_NEVER > > + bool "Traditional behavior - not sealed" > > + help > > + Do not seal system mappings. > > + This is default. > > + > > +config SEAL_SYSTEM_MAPPINGS_ALWAYS > > + bool "Always seal system mappings" > > + depends on 64BIT > > + depends on !CHECKPOINT_RESTORE > > + help > > + Seal system mappings such as vdso, vvar, sigpage, uprobes and > > + vsyscall. > > + Note: CHECKPOINT_RESTORE might relocate vdso mapping during restore, > > + and remap will fail if the mapping is sealed, therefore > > + !CHECKPOINT_RESTORE is added as dependency. > > +endchoice > > + > > config SECURITY > > bool "Enable different security models" > > depends on SYSFS > > -- > ~Randy
