Merge pull request #27659 from yuwata/memfd-seal

memfd-util: handle F_SEAL_EXEC flag

2 files changed, 17 insertions, 2 deletions

diff --git a/src/basic/memfd-util.c b/src/basic/memfd-util.c
index 285abd41d3..8e6946642b 100644
--- a/src/basic/memfd-util.c
+++ b/src/basic/memfd-util.c
@@ -92,9 +92,15 @@ int memfd_map(int fd, uint64_t offset, size_t size, void **p) {
 }
 
 int memfd_set_sealed(int fd) {
+        int r;
+
         assert(fd >= 0);
 
-        return RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL));
+        r = RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_EXEC | F_SEAL_SEAL));
+        if (r == -EINVAL) /* old kernel ? */
+                r = RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL));
+
+        return r;
 }
 
 int memfd_get_sealed(int fd) {
@@ -106,7 +112,8 @@ int memfd_get_sealed(int fd) {
         if (r < 0)
                 return -errno;
 
-        return r == (F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL);
+        /* We ignore F_SEAL_EXEC here to support older kernels. */
+        return FLAGS_SET(r, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL);
 }
 
 int memfd_get_size(int fd, uint64_t *sz) {
diff --git a/src/basic/missing_fcntl.h b/src/basic/missing_fcntl.h
index 79e95a8f6f..24b2dc3119 100644
--- a/src/basic/missing_fcntl.h
+++ b/src/basic/missing_fcntl.h
@@ -25,6 +25,14 @@
 #define F_SEAL_WRITE    0x0008  /* prevent writes */
 #endif
 
+#ifndef F_SEAL_FUTURE_WRITE
+#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
+#endif
+
+#ifndef F_SEAL_EXEC
+#define F_SEAL_EXEC     0x0020  /* prevent chmod modifying exec bits */
+#endif
+
 #ifndef F_OFD_GETLK
 #define F_OFD_GETLK     36
 #define F_OFD_SETLK     37