From: David Rheinsberg Date: Mon, 17 Jul 2023 10:01:18 +0000 (+0200) Subject: basic/memfd: reduce default seals to historic set X-Git-Tag: v255-rc1~850^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1007a928a18baad7726113c9f473dd8b17cc0fe;p=thirdparty%2Fsystemd.git basic/memfd: reduce default seals to historic set Rather than always setting all seals, make `memfd_set_seals()` employ the original set of seals, that is: SEAL+GROW+SHRINK+WRITE Historically, the memfd code was used with the out-of-tree memfd patches, which merely supported a single seal ("SEALED", which effectively was GROW+SHRINK+WRITE). When the code was adapted to the upstream memfd seals, it was extended to the full seal set. With more and more seals being added upstream, this because more problematic. In particular, it is unclear what the function really is meant to achieve. Instead of just adding all seals, the function is returned to its original purpose: seal the memfd so futher modifications to its content are prevented. --- diff --git a/src/basic/memfd-util.c b/src/basic/memfd-util.c index c4e36b0ad45..e21514fa9ea 100644 --- a/src/basic/memfd-util.c +++ b/src/basic/memfd-util.c @@ -92,15 +92,9 @@ int memfd_map(int fd, uint64_t offset, size_t size, void **p) { } int memfd_set_sealed(int fd) { - int r; - assert(fd >= 0); - r = RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_EXEC | F_SEAL_SEAL)); - if (r == -EINVAL) /* old kernel ? */ - r = RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL)); - - return r; + return RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)); } int memfd_get_sealed(int fd) {