On 2/24/25 10:55, Kees Cook wrote: >> That logic is reasonable. But it's different from the _vast_ majority of >> other flags. >> >> So what justifies VM_SEALED being so different? It's leading to pretty >> objectively ugly code in this series. > Note that VM_SEALED is the "is this VMA sealed?" bit itself. The define > for "should we perform system mapping sealing?" is intentionally separate > here, so that it can be Kconfig and per-arch toggled, etc. Ahh, makes sense. > As for the name, I have no strong opinion. Perhaps VM_SEALED_SYSTEM_MAPPING ? Yeah, that'd work. Just something more consistent with the existing naming and more compact. I think: VM_SEALED_SYS would fit in nicely.
