On Tue, Mar 26, 2024 at 09:49:26AM -0700, Christoph Hellwig wrote: > On Tue, Mar 26, 2024 at 09:47:36AM -0700, Darrick J. Wong wrote: > > There's not much reason. Now that memfd_create has existed for a decade > > and the other flags for even longer, I'll drop all these configure > > checks. > > The only really new and at the same time important/new one is > MFD_NOEXEC_SEAL. That's why I'd love to just defined it if it isn't > defined so that any recent kernel (including disto backports) gets > the flag and we avoid having executable memory as much as possible. <nod> I'll factor that in too: /* * Starting with Linux 6.3, there's a new MFD_NOEXEC_SEAL flag that disables * the longstanding memfd behavior that files are created with the executable * bit set, and seals the file against it being turned back on. */ #ifndef MFD_NOEXEC_SEAL # define MFD_NOEXEC_SEAL (0x0008U) #endif and later: /* * memfd_create was added to kernel 3.17 (2014). MFD_NOEXEC_SEAL * causes -EINVAL on old kernels, so fall back to omitting it so that * new xfs_repair can run on an older recovery cd kernel. */ fd = memfd_create(description, MFD_CLOEXEC | MFD_NOEXEC_SEAL); if (fd >= 0) goto got_fd; fd = memfd_create(description, MFD_CLOEXEC); if (fd >= 0) goto got_fd; --D
