On Tue, Jan 14, 2025 at 3:41 PM Jeff Xu jeffxu@chromium.org wrote:
On Tue, Jan 14, 2025 at 2:42 PM Isaac Manjarres isaacmanjarres@google.com wrote:
On Tue, Jan 14, 2025 at 01:29:44PM -0800, Kees Cook wrote:
On Tue, Jan 14, 2025 at 12:02:28PM -0800, Isaac Manjarres wrote:
Alternatively, MFD_NOEXEC_SEAL could be extended to prevent executable mappings, and MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED could be enabled, but that type of system would prevent memfd buffers from being used for execution for legitimate usecases (e.g. JIT), which may not be desirable.
The JIT case doesn't use execve(memfd), right ?
That might not be important.
I also think selinux policy will be a better option for this, There is a pending work item to restrict/enforce MFD_NOEXEC_SEAL on memfd_create().
--Isaac