From: Jeff Xu <jeffxu@chromium.org>
To: Alice Ryhl <aliceryhl@google.com>
Cc: Isaac Manjarres <isaacmanjarres@google.com>,
Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>,
lorenzo.stoakes@oracle.com, Jeff Layton <jlayton@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>,
Alexander Aring <alex.aring@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Shuah Khan <shuah@kernel.org>,
surenb@google.com, kaleshsingh@google.com, jstultz@google.com,
jeffxu@google.com, kees@kernel.org, kernel-team@android.com,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, linux-kselftest@vger.kernel.org
Subject: Re: [RFC PATCH RESEND v2 1/2] mm/memfd: Add support for F_SEAL_FUTURE_EXEC to memfd
Date: Wed, 8 Jan 2025 08:34:03 -0800 [thread overview]
Message-ID: <CABi2SkWWfknibhP6KV16gbGH+Pj4kJC9JGUVaoLHyAwdxoucug@mail.gmail.com> (raw)
In-Reply-To: <CAH5fLgifNkTFTVHbsp7wXBgRQmXQ3+r3xD03bZq06gU7eOfDOw@mail.gmail.com>
On Wed, Jan 8, 2025 at 5:57 AM Alice Ryhl <aliceryhl@google.com> wrote:
>
> On Tue, Jan 7, 2025 at 6:21 AM Jeff Xu <jeffxu@chromium.org> wrote:
> > Do you know which code checks for VM_MAYEXEC flag in the mprotect code
> > path ? it isn't obvious to me, i.e. when I grep the VM_MAYEXEC inside
> > mm path, it only shows one place in mprotect and that doesn't do the
> > work.
> >
> > ~/mm/mm$ grep VM_MAYEXEC *
> > mmap.c: mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
> > mmap.c: vm_flags &= ~VM_MAYEXEC;
> > mprotect.c: if (rier && (vma->vm_flags & VM_MAYEXEC))
> > nommu.c: vm_flags |= VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
> > nommu.c: vm_flags |= VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
>
> The check happens here:
>
> /* newflags >> 4 shift VM_MAY% in place of VM_% */
> if ((newflags & ~(newflags >> 4)) & VM_ACCESS_FLAGS) {
> error = -EACCES;
> break;
> }
Thanks for helping !
-Jeff
>
> Alice
next prev parent reply other threads:[~2025-01-08 16:44 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-02 23:32 [RFC PATCH RESEND v2 0/2] Add file seal to prevent future exec mappings Isaac J. Manjarres
2025-01-02 23:32 ` [RFC PATCH RESEND v2 1/2] mm/memfd: Add support for F_SEAL_FUTURE_EXEC to memfd Isaac J. Manjarres
2025-01-03 15:03 ` Jann Horn
2025-01-06 17:35 ` Jeff Xu
2025-01-07 1:26 ` Isaac Manjarres
2025-01-07 5:21 ` Jeff Xu
2025-01-08 13:57 ` Alice Ryhl
2025-01-08 16:34 ` Jeff Xu [this message]
2025-01-07 1:14 ` Isaac Manjarres
2025-01-08 20:43 ` Lorenzo Stoakes
2025-01-08 21:08 ` Lorenzo Stoakes
2025-01-08 20:54 ` Lorenzo Stoakes
2025-01-02 23:32 ` [RFC PATCH RESEND v2 2/2] selftests/memfd: Add tests for F_SEAL_FUTURE_EXEC Isaac J. Manjarres
2025-01-08 21:06 ` Lorenzo Stoakes
2025-01-08 20:12 ` [RFC PATCH RESEND v2 0/2] Add file seal to prevent future exec mappings Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABi2SkWWfknibhP6KV16gbGH+Pj4kJC9JGUVaoLHyAwdxoucug@mail.gmail.com \
--to=jeffxu@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=alex.aring@gmail.com \
--cc=aliceryhl@google.com \
--cc=chuck.lever@oracle.com \
--cc=isaacmanjarres@google.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=jlayton@kernel.org \
--cc=jstultz@google.com \
--cc=kaleshsingh@google.com \
--cc=kees@kernel.org \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=shuah@kernel.org \
--cc=surenb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox