From e1007a928a18baad7726113c9f473dd8b17cc0fe Mon Sep 17 00:00:00 2001 From: David Rheinsberg Date: Mon, 17 Jul 2023 12:01:18 +0200 Subject: [PATCH] basic/memfd: reduce default seals to historic set Rather than always setting all seals, make `memfd_set_seals()` employ the original set of seals, that is: SEAL+GROW+SHRINK+WRITE Historically, the memfd code was used with the out-of-tree memfd patches, which merely supported a single seal ("SEALED", which effectively was GROW+SHRINK+WRITE). When the code was adapted to the upstream memfd seals, it was extended to the full seal set. With more and more seals being added upstream, this because more problematic. In particular, it is unclear what the function really is meant to achieve. Instead of just adding all seals, the function is returned to its original purpose: seal the memfd so futher modifications to its content are prevented. --- src/basic/memfd-util.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/basic/memfd-util.c b/src/basic/memfd-util.c index c4e36b0ad45..e21514fa9ea 100644 --- a/src/basic/memfd-util.c +++ b/src/basic/memfd-util.c @@ -92,15 +92,9 @@ int memfd_map(int fd, uint64_t offset, size_t size, void **p) { } int memfd_set_sealed(int fd) { - int r; - assert(fd >= 0); - r = RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_EXEC | F_SEAL_SEAL)); - if (r == -EINVAL) /* old kernel ? */ - r = RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL)); - - return r; + return RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)); } int memfd_get_sealed(int fd) { -- 2.47.3