From nobody Fri Feb 13 16:37:02 2026 Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com [209.85.210.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 491F1383B0 for ; Fri, 24 May 2024 03:39:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716521992; cv=none; b=g3ZGItE4oEZZ05qG5w2PSS3VxJPU8BIX3IVNmhhQzmNTrDYh2qT4TF4Mp6J3PAKBWo7TGmyEV7WjtnfUAokIBMedqtnOH/lXKCP+IVg/a4uwC7lBRmXrp2PKl6v03GABHef8f9IC7Q3rHdgdkhtGalmJOauD3b/FXrcIfMNZXUI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716521992; c=relaxed/simple; bh=23moA4iMJXSgtkxujKg/JAxWm3k0ziZQHmIoopuyc70=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=hvzuMJMCt6UHMOBEAUD1VZM7fdkstlcfyoe5o0vCEbp8ggAFwwLvh+U5fpUYKL6Gm+6lruUlTTifzWu5GervsFDFpzLN3VW/zi9BkYdlOiTfC2ZcwONo9/2+rU/URhTZNsr16lgw3eHK5duARkOcPzyP8MOeL8xCsYPxVL131Vk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=EAnFq72n; arc=none smtp.client-ip=209.85.210.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="EAnFq72n" Received: by mail-ot1-f51.google.com with SMTP id 46e09a7af769-6f0f728d373so3838002a34.0 for ; Thu, 23 May 2024 20:39:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1716521990; x=1717126790; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=j6jr022mlOQVdTQNdYCM0jmCCOa9PK9T8m0GA7PmwSw=; b=EAnFq72nP3DWnIENBt6bak1yK0hRnCHettp4QHJW+TniqVP1Ukusn/rGWO15BP6o8N TOUI3uMjvlZPtbD7OzxanVlYjZEK0W5yfgZkGmQ948JLY+b3nT19tnfQ7pNKh/C5vpbP gN5bljzjnZpklV4Yw0rmR1uTSkuavL9c8c9Ig= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716521990; x=1717126790; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=j6jr022mlOQVdTQNdYCM0jmCCOa9PK9T8m0GA7PmwSw=; b=f5foWUeXEaxrDy6U/RabrhBvClgGHk+gcGeX7nJbiH/3ky7P9EipMBRixiTtWIpGKc 0Yg35SpHXOLeiS61k4GTKG2hyidpqV9ltM/RvrQiAXtqEUWQCxJxH1VIMT6uGUORBHAp UxMJBxQrVYSZc9owen4PMo0nKmc+48LD2IAcMi23ufJzmXx2IOXzYIo6SedOi5+QsrbP OyydPtiqHPqObYcTZ8yaYKgekZCShlDx3x3ZO8tgIUFCGb3UzLKqBc9AoyEipF5QGo1t +4SZp7hNUDyjLHugEkYGO3a5x4ewC5zcVotEIzgXUdD2XVN0PT7LeRN36eLEiqv1qDUK R/9g== X-Forwarded-Encrypted: i=1; AJvYcCXwbc2CjSARCy2l50ZzXIJ6WmGF5qHQWCpykStTj9Tux6+DlHuin7UZ301g5//37Rv3QLtcVtY/YohSWDp0Y8Nd7j2iTyJnp0G812Vi X-Gm-Message-State: AOJu0Yx8eCR+TPKkD9VBdLasVhN93P7lUI5nmv0otuA39aVrSf8K0CkN zq/hVpF/bUVQCGi4/7WAtUvJI9mM2+iF83jMAD/WeD4XtOofO9JyZGTbi3AEDA== X-Google-Smtp-Source: AGHT+IHZf+jr2XVCdIxoQjdDZnqMqm+D003gUslsBjdQqg0R++wGRM0qaMzD5yCdbM2LCfnRng/Tyg== X-Received: by 2002:a05:6870:1492:b0:24c:6198:5ff8 with SMTP id 586e51a60fabf-24ca105306amr1500902fac.4.1716521990321; Thu, 23 May 2024 20:39:50 -0700 (PDT) Received: from localhost (197.59.83.34.bc.googleusercontent.com. [34.83.59.197]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-6f8fcbeb674sm315258b3a.122.2024.05.23.20.39.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 May 2024 20:39:50 -0700 (PDT) From: jeffxu@chromium.org To: jeffxu@google.com Cc: jeffxu@chromium.org, akpm@linux-foundation.org, cyphar@cyphar.com, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pobrn@protonmail.com, skhan@linuxfoundation.org, stable@vger.kernel.org, David Rheinsberg Subject: [PATCH v2 1/2] memfd: fix MFD_NOEXEC_SEAL to be non-sealable by default Date: Fri, 24 May 2024 03:39:30 +0000 Message-ID: <20240524033933.135049-2-jeffxu@google.com> X-Mailer: git-send-email 2.45.1.288.g0e0cd299f1-goog In-Reply-To: <20240524033933.135049-1-jeffxu@google.com> References: <20240524033933.135049-1-jeffxu@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Jeff Xu By default, memfd_create() creates a non-sealable MFD, unless the MFD_ALLOW_SEALING flag is set. When the MFD_NOEXEC_SEAL flag is initially introduced, the MFD created with that flag is sealable, even though MFD_ALLOW_SEALING is not set. This patch changes MFD_NOEXEC_SEAL to be non-sealable by default, unless MFD_ALLOW_SEALING is explicitly set. This is a non-backward compatible change. However, as MFD_NOEXEC_SEAL is new, we expect not many applications will rely on the nature of MFD_NOEXEC_SEAL being sealable. In most cases, the application already sets MFD_ALLOW_SEALING if they need a sealable MFD. Additionally, this enhances the useability of pid namespace sysctl vm.memfd_noexec. When vm.memfd_noexec equals 1 or 2, the kernel will add MFD_NOEXEC_SEAL if mfd_create does not specify MFD_EXEC or MFD_NOEXEC_SEAL, and the addition of MFD_NOEXEC_SEAL enables the MFD to be sealable. This means, any application that does not desire this behavior will be unable to utilize vm.memfd_noexec =3D 1 or 2 to migrate/enforce non-executable MFD. This adjustment ensures that applications can anticipate that the sealable characteristic will remain unmodified by vm.memfd_noexec. This patch was initially developed by Barnab=C3=A1s P=C5=91cze, and Barnab= =C3=A1s used Debian Code Search and GitHub to try to find potential breakages and could only find a single one. Dbus-broker's memfd_create() wrapper is aware of this implicit `MFD_ALLOW_SEALING` behavior, and tries to work around it [1]. This workaround will break. Luckily, this only affects the test suite, it does not affect the normal operations of dbus-broker. There is a PR with a fix[2]. In addition, David Rheinsberg also raised similar fix in [3] [1]: https://github.com/bus1/dbus-broker/blob/9eb0b7e5826fc76cad7b025bc46f2= 67d4a8784cb/src/util/misc.c#L114 [2]: https://github.com/bus1/dbus-broker/pull/366 [3]: https://lore.kernel.org/lkml/20230714114753.170814-1-david@readahead.e= u/ Cc: stable@vger.kernel.org Fixes: 105ff5339f498a ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") Signed-off-by: Barnab=C3=A1s P=C5=91cze Signed-off-by: Jeff Xu Reviewed-by: David Rheinsberg --- mm/memfd.c | 9 ++++---- tools/testing/selftests/memfd/memfd_test.c | 26 +++++++++++++++++++++- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/mm/memfd.c b/mm/memfd.c index 7d8d3ab3fa37..8b7f6afee21d 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -356,12 +356,11 @@ SYSCALL_DEFINE2(memfd_create, =20 inode->i_mode &=3D ~0111; file_seals =3D memfd_file_seals_ptr(file); - if (file_seals) { - *file_seals &=3D ~F_SEAL_SEAL; + if (file_seals) *file_seals |=3D F_SEAL_EXEC; - } - } else if (flags & MFD_ALLOW_SEALING) { - /* MFD_EXEC and MFD_ALLOW_SEALING are set */ + } + + if (flags & MFD_ALLOW_SEALING) { file_seals =3D memfd_file_seals_ptr(file); if (file_seals) *file_seals &=3D ~F_SEAL_SEAL; diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/sel= ftests/memfd/memfd_test.c index 95af2d78fd31..8579a93d006b 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -1151,7 +1151,7 @@ static void test_noexec_seal(void) mfd_def_size, MFD_CLOEXEC | MFD_NOEXEC_SEAL); mfd_assert_mode(fd, 0666); - mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_assert_has_seals(fd, F_SEAL_SEAL | F_SEAL_EXEC); mfd_fail_chmod(fd, 0777); close(fd); } @@ -1169,6 +1169,14 @@ static void test_sysctl_sysctl0(void) mfd_assert_has_seals(fd, 0); mfd_assert_chmod(fd, 0644); close(fd); + + fd =3D mfd_assert_new("kern_memfd_sysctl_0_dfl", + mfd_def_size, + MFD_CLOEXEC); + mfd_assert_mode(fd, 0777); + mfd_assert_has_seals(fd, F_SEAL_SEAL); + mfd_assert_chmod(fd, 0644); + close(fd); } =20 static void test_sysctl_set_sysctl0(void) @@ -1206,6 +1214,14 @@ static void test_sysctl_sysctl1(void) mfd_assert_has_seals(fd, F_SEAL_EXEC); mfd_fail_chmod(fd, 0777); close(fd); + + fd =3D mfd_assert_new("kern_memfd_sysctl_1_noexec_nosealable", + mfd_def_size, + MFD_CLOEXEC | MFD_NOEXEC_SEAL); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC | F_SEAL_SEAL); + mfd_fail_chmod(fd, 0777); + close(fd); } =20 static void test_sysctl_set_sysctl1(void) @@ -1238,6 +1254,14 @@ static void test_sysctl_sysctl2(void) mfd_assert_has_seals(fd, F_SEAL_EXEC); mfd_fail_chmod(fd, 0777); close(fd); + + fd =3D mfd_assert_new("kern_memfd_sysctl_2_noexec_notsealable", + mfd_def_size, + MFD_CLOEXEC | MFD_NOEXEC_SEAL); + mfd_assert_mode(fd, 0666); + mfd_assert_has_seals(fd, F_SEAL_EXEC | F_SEAL_SEAL); + mfd_fail_chmod(fd, 0777); + close(fd); } =20 static void test_sysctl_set_sysctl2(void) --=20 2.45.1.288.g0e0cd299f1-goog From nobody Fri Feb 13 16:37:02 2026 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C739938FA3 for ; Fri, 24 May 2024 03:39:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716521995; cv=none; b=Xdotfy1xQYu3z+9N+DIJ1ZzepjHeYZqqNaCXdMhVnHnnm/3CKvsoRQMrU2BwxDDaLlbxKwtYzTaHzz/OVWhXRkivW59jk/LS77tJdfSZH18LP75lcUDHrW9w+LydictiAiClu1J2PolO8RF8NdVsL+JH4WcQoGdnJwcNg9/o2DI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716521995; c=relaxed/simple; bh=kBlmceXG6bhkrmUXIGJbMc35HmIYYfFUgN5tK4gjObA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=jA4nIgJ1S11tMDGtbYFi8VtN1/PasDLMJH6XUKwsNvXZU1BIpE901+5oxFz5nSa6upBZWinTvT0PrjYHt14z7GpHOwUUIXUnA2OdjxtPfqPmi3drBF8J92+6DEL/G3ZyPXtVp9C1nzZcZJ3jLPU6lJ5HkebALoa0TdcxLasn5Dk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=g2OAYEzM; arc=none smtp.client-ip=209.85.215.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="g2OAYEzM" Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-6818e31e5baso391182a12.1 for ; Thu, 23 May 2024 20:39:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1716521993; x=1717126793; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pesQo+6XyB9Sz7NquWrLJtfwCa+DVcXbb+XOLlmmUJA=; b=g2OAYEzMp38m7n8GB//ncGBNaVPGIaNaj94Nwk2AsoIuFP8PhjypIjP8fWALYCe9EI 61YM/fzluz3imdsxA2MPJkGgBKDPoyDEi2A4+aU8L83h8iqVmENSdMOHmLI5M2dCmBpD fmxIiO8DLKlUIHv5UIXCSZkSJzXBSeMxNfF2s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716521993; x=1717126793; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pesQo+6XyB9Sz7NquWrLJtfwCa+DVcXbb+XOLlmmUJA=; b=ccGSmgISCF8wXN/cw/vYps6xh2NbQaFonkogriwnf37SB9Vb1IMxlr++7rO9+HY59L lbBSjWWF2+L5SGbJwbR7/zzTgnV5IKMs3Saf8PKdXMAuiAMB59ch0nvb7OAaCay9UKMs CAtrgZuriXkAVJyjxnp1PK92eWdLBp7ku+doPQABXnSc/xuPBzi50YiFW2XwokGbYLRu 5Uu2SqVGJeHmzNjx9Y5m+S9iRMi9C+OLuw1L3V/8nWtbhgQ0NBvgWIfmE9zP8BtYJLc/ wOpRckFrD7EbMqku1jFhEj/sxnWjIyOimnueoVq/ptj6+26Ga6kt7qdT4JLrjkKTrURC c8rQ== X-Forwarded-Encrypted: i=1; AJvYcCWdz9ART7cSviCXUGarhgDi2OLNqCf2hsb3vDOPtn4mHvBTXQ7TzjneC6l86FqODW4jXGy5j89ttxkCxbS9RHQkrWVeS2hlbo797ngt X-Gm-Message-State: AOJu0Yw+rwuWIuwAK74w0TPuoFEUA3C6orLN55KGZQFDRDoQkh08QSBi NvthwxXghtg3g5/xe866elrqb4QWxCdTVlOAuVI6ratue9zRFp/6f5PeGcXJaw== X-Google-Smtp-Source: AGHT+IHdjBENRrBcj6qYEjj9L5n5wO1aZ+m3thRvOckQZLAGNspYj6ieCFrZ+b+e26D15nt1k6EE2w== X-Received: by 2002:a17:90b:604:b0:2b6:c650:fb54 with SMTP id 98e67ed59e1d1-2bf5f50a0cdmr948929a91.49.1716521992881; Thu, 23 May 2024 20:39:52 -0700 (PDT) Received: from localhost (197.59.83.34.bc.googleusercontent.com. [34.83.59.197]) by smtp.gmail.com with UTF8SMTPSA id 98e67ed59e1d1-2bf5f50c450sm406666a91.17.2024.05.23.20.39.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 May 2024 20:39:52 -0700 (PDT) From: jeffxu@chromium.org To: jeffxu@google.com Cc: jeffxu@chromium.org, akpm@linux-foundation.org, cyphar@cyphar.com, dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com, jorgelo@chromium.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pobrn@protonmail.com, skhan@linuxfoundation.org, stable@vger.kernel.org Subject: [PATCH v2 2/2] memfd:add MEMFD_NOEXEC_SEAL documentation Date: Fri, 24 May 2024 03:39:31 +0000 Message-ID: <20240524033933.135049-3-jeffxu@google.com> X-Mailer: git-send-email 2.45.1.288.g0e0cd299f1-goog In-Reply-To: <20240524033933.135049-1-jeffxu@google.com> References: <20240524033933.135049-1-jeffxu@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Jeff Xu Add documentation for MFD_NOEXEC_SEAL and MFD_EXEC Cc: stable@vger.kernel.org Signed-off-by: Jeff Xu --- Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/mfd_noexec.rst | 90 ++++++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 Documentation/userspace-api/mfd_noexec.rst diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspac= e-api/index.rst index 5926115ec0ed..8a251d71fa6e 100644 --- a/Documentation/userspace-api/index.rst +++ b/Documentation/userspace-api/index.rst @@ -32,6 +32,7 @@ Security-related interfaces seccomp_filter landlock lsm + mfd_noexec spec_ctrl tee =20 diff --git a/Documentation/userspace-api/mfd_noexec.rst b/Documentation/use= rspace-api/mfd_noexec.rst new file mode 100644 index 000000000000..6f11ad86b076 --- /dev/null +++ b/Documentation/userspace-api/mfd_noexec.rst @@ -0,0 +1,90 @@ +.. SPDX-License-Identifier: GPL-2.0 + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Introduction of non executable mfd +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +:Author: + Daniel Verkamp + Jeff Xu + +:Contributor: + Aleksa Sarai + Barnab=C3=A1s P=C5=91cze + David Rheinsberg + +Since Linux introduced the memfd feature, memfd have always had their +execute bit set, and the memfd_create() syscall doesn't allow setting +it differently. + +However, in a secure by default system, such as ChromeOS, (where all +executables should come from the rootfs, which is protected by Verified +boot), this executable nature of memfd opens a door for NoExec bypass +and enables =E2=80=9Cconfused deputy attack=E2=80=9D. E.g, in VRP bug [1]= : cros_vm +process created a memfd to share the content with an external process, +however the memfd is overwritten and used for executing arbitrary code +and root escalation. [2] lists more VRP in this kind. + +On the other hand, executable memfd has its legit use, runc uses memfd=E2= =80=99s +seal and executable feature to copy the contents of the binary then +execute them, for such system, we need a solution to differentiate runc's +use of executable memfds and an attacker's [3]. + +To address those above. + - Let memfd_create() set X bit at creation time. + - Let memfd be sealed for modifying X bit when NX is set. + - A new pid namespace sysctl: vm.memfd_noexec to help applications to + migrating and enforcing non-executable MFD. + +User API +=3D=3D=3D=3D=3D=3D=3D=3D +``int memfd_create(const char *name, unsigned int flags)`` + +``MFD_NOEXEC_SEAL`` + When MFD_NOEXEC_SEAL bit is set in the ``flags``, memfd is created + with NX. F_SEAL_EXEC is set and the memfd can't be modified to + add X later. + This is the most common case for the application to use memfd. + +``MFD_EXEC`` + When MFD_EXEC bit is set in the ``flags``, memfd is created with X. + +Note: + ``MFD_NOEXEC_SEAL`` and ``MFD_EXEC`` doesn't change the sealable + characteristic of memfd, which is controlled by ``MFD_ALLOW_SEALING``. + + +Sysctl: +=3D=3D=3D=3D=3D=3D=3D=3D +``pid namespaced sysctl vm.memfd_noexec`` + +The new pid namespaced sysctl vm.memfd_noexec has 3 values: + + - 0: MEMFD_NOEXEC_SCOPE_EXEC + memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like + MFD_EXEC was set. + + - 1: MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL + memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like + MFD_NOEXEC_SEAL was set. + + - 2: MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED + memfd_create() without MFD_NOEXEC_SEAL will be rejected. + +The sysctl allows finer control of memfd_create for old-software that +doesn't set the executable bit, for example, a container with +vm.memfd_noexec=3D1 means the old-software will create non-executable memfd +by default while new-software can create executable memfd by setting +MFD_EXEC. + +The value of memfd_noexec is passed to child namespace at creation time, +in addition, the setting is hierarchical, i.e. during memfd_create, +we will search from current ns to root ns and use the most restrictive +setting. + +Reference: +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +[1] https://crbug.com/1305267 + +[2] https://bugs.chromium.org/p/chromium/issues/list?q=3Dtype%3Dbug-securi= ty%20memfd%20escalation&can=3D1 + +[3] https://lwn.net/Articles/781013/ --=20 2.45.1.288.g0e0cd299f1-goog