On Wed, 2025-02-12 at 14:01 +0000, Lorenzo Stoakes wrote: > Thanks, yeah that's a good point, it would have to be implemented as a > personality or something similar otherwise you're essentially relying on > 'unsealing' which can't be permitted. > > I'm not sure how useful that'd be for the likes of rr though. But I suppose > if it makes everything exec'd by a child inherit it then maybe that works > for a debugging session etc.? For whatever that's worth, ARCH=um should not need 'unsealing' or 'not sealing' it for *itself*, but rather only for the *children* it starts, which are for the userspace processes inside of it. Which I suppose could actually start without a VDSO in the first place, but I don't think that's possible now? Which I'll note should not have access to the host, so in a way this outer security feature (sealing) breaks the inner ARCH=um security, I think. johannes
