On 2/24/25 09:45, jeffxu@xxxxxxxxxxxx wrote: > +/* > + * mseal of userspace process's system mappings. > + */ > +#ifdef CONFIG_MSEAL_SYSTEM_MAPPINGS > +#define MSEAL_SYSTEM_MAPPINGS_VM_FLAG VM_SEALED > +#else > +#define MSEAL_SYSTEM_MAPPINGS_VM_FLAG VM_NONE > +#endif This ends up looking pretty wonky in practice: > + vm_flags = VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP; > + vm_flags |= MSEAL_SYSTEM_MAPPINGS_VM_FLAG; because MSEAL_SYSTEM_MAPPINGS_VM_FLAG is so much different from the other ones. Would it really hurt to have #ifdef CONFIG_64BIT /* VM is sealed, in vm_flags */ #define VM_SEALED _BITUL(63) +#else +#define VM_SEALED VM_NONE #endif ? Then all the users could just do: vm_flags = VM_READ|VM_MAYREAD|VM_IO|VM_DONTDUMP|VM_PFNMAP| VM_SEALED That seems to be a the common way of doing things. Take a look at: # define VM_GROWSUP VM_NONE ... # define VM_MTE VM_NONE # define VM_MTE_ALLOWED VM_NONE ... # define VM_UFFD_MINOR VM_NONE ... #define VM_DROPPABLE VM_NONE ... and more
