On Tue, Jan 14, 2025 at 3:41 PM Jeff Xu <jeffxu@xxxxxxxxxxxx> wrote: > > On Tue, Jan 14, 2025 at 2:42 PM Isaac Manjarres > <isaacmanjarres@xxxxxxxxxx> wrote: > > > > On Tue, Jan 14, 2025 at 01:29:44PM -0800, Kees Cook wrote: > > > On Tue, Jan 14, 2025 at 12:02:28PM -0800, Isaac Manjarres wrote: > > > Alternatively, MFD_NOEXEC_SEAL could be extended > > to prevent executable mappings, and MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED > > could be enabled, but that type of system would prevent memfd buffers > > from being used for execution for legitimate usecases (e.g. JIT), which > > may not be desirable. > > > The JIT case doesn't use execve(memfd), right ? > That might not be important. I also think selinux policy will be a better option for this, There is a pending work item to restrict/enforce MFD_NOEXEC_SEAL on memfd_create(). > > > > --Isaac
