IMO: The approaches mimmutable() and mseal() took are different, but we all want to seal the memory from attackers and make the linux application safer.
I think you are building mseal for chrome, and chrome alone.
I do not think this will work out for the rest of the application space because
- it is too complicated
- experience with mimmutable() says that applications don't do any of it themselves, it is all in execve(), libc initialization, and ld.so. You don't strike me as an execve, libc, or ld.so developer.
We do want to build this in a way that it can be applied automatically by ld.so and we appreciate all your feedback on this. The intention of splitting the sealing by syscall was to provide flexibility while still allowing ld.so to seal all operations. But it's clear from the feedback that both the fine grained split and the per-syscall approach are not the right way to go. Does Linus' proposal to just split munmap / mprotect sealing address your complexity concerns? ld.so would always use both flags which should then behave similar to mimmutable().