On Wed, Dec 07, 2022 at 03:49:34PM +0000, jeffxu@chromium.org wrote:
From: Daniel Verkamp dverkamp@chromium.org
The new F_SEAL_EXEC flag will prevent modification of the exec bits: written as traditional octal mask, 0111, or as named flags, S_IXUSR | S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify any of these bits after the seal is applied will fail with errno EPERM.
This will preserve the execute bits as they are at the time of sealing, so the memfd will become either permanently executable or permanently un-executable.
Signed-off-by: Daniel Verkamp dverkamp@chromium.org Co-developed-by: Jeff Xu jeffxu@google.com Signed-off-by: Jeff Xu jeffxu@google.com
It looks like my Reviewed-by: tag was dropped?
https://lore.kernel.org/lkml/202212021443.0F684E33@keescook/
This patch is unchanged, so please carry forward any review/ack/tested tags, etc.
But for the bots:
Reviewed-by: Kees Cook keescook@chromium.org