On Fri, Dec 02, 2022 at 01:33:59AM +0000, jeffxu@chromium.org wrote:
From: Daniel Verkamp dverkamp@chromium.org
The new F_SEAL_EXEC flag will prevent modification of the exec bits: written as traditional octal mask, 0111, or as named flags, S_IXUSR | S_IXGRP | S_IXOTH. Any chmod(2) or similar call that attempts to modify any of these bits after the seal is applied will fail with errno EPERM.
This will preserve the execute bits as they are at the time of sealing, so the memfd will become either permanently executable or permanently un-executable.
Co-developed-by: Jeff Xu jeffxu@chromium.org Signed-off-by: Jeff Xu jeffxu@chromium.org Signed-off-by: Daniel Verkamp dverkamp@chromium.org
Oh, one note on tag ordering here. Since you're sending it, I would expect this to read as:
From: Daniel Verkamp dverkamp@chromium.org ... Signed-off-by: Daniel Verkamp dverkamp@chromium.org Co-developed-by: Jeff Xu jeffxu@chromium.org Signed-off-by: Jeff Xu jeffxu@chromium.org