treewide: memfd_create: use exec flags

Use the flags MEMFD_EXEC or MEMFD_NOEXEC_SEAL as applicable.

These warnings instruct the kernel wether the memfd is executable or
not.

Without specifying those flags the kernel will emit the following
warning since version 6.3,
commit 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC"):

    kernel: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=1 'systemd'

diff --git a/src/basic/memfd-util.c b/src/basic/memfd-util.c
index 99df236e7db0212af4f4c2bb1d1e64baeabc3752..285abd41d3a0d42616c135d06dacd0b961c0f3ec 100644 (file)
--- a/src/basic/memfd-util.c
+++ b/src/basic/memfd-util.c
@@ -65,7 +65,7 @@ int memfd_new(const char *name) {
                 }
         }
 
-        return RET_NERRNO(memfd_create(name, MFD_ALLOW_SEALING | MFD_CLOEXEC));
+        return memfd_create_wrapper(name, MFD_ALLOW_SEALING | MFD_CLOEXEC | MFD_NOEXEC_SEAL);
 }
 
 int memfd_map(int fd, uint64_t offset, size_t size, void **p) {

diff --git a/src/home/homed-home.c b/src/home/homed-home.c
index 413fcf177305c6f0225040ab087f60b946c218b2..6e9cfd2776705df1995bea7a2480780eba5614d0 100644 (file)
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@@ -23,7 +23,9 @@
 #include "home-util.h"
 #include "homed-home-bus.h"
 #include "homed-home.h"
+#include "memfd-util.h"
 #include "missing_magic.h"
+#include "missing_mman.h"
 #include "missing_syscall.h"
 #include "mkdir.h"
 #include "path-util.h"
@@ -1175,9 +1177,9 @@ static int home_start_work(Home *h, const char *verb, UserRecord *hr, UserRecord
 
         log_debug("Sending to worker: %s", formatted);
 
-        stdout_fd = memfd_create("homework-stdout", MFD_CLOEXEC);
+        stdout_fd = memfd_create_wrapper("homework-stdout", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
         if (stdout_fd < 0)
-                return -errno;
+                return stdout_fd;
 
         r = safe_fork_full("(sd-homework)",
                            (int[]) { stdin_fd, stdout_fd, STDERR_FILENO },

diff --git a/src/shared/data-fd-util.c b/src/shared/data-fd-util.c
index 0dbf89293f7e72d1da116ae0e45da85a105f147f..4831682a020c8319f844f2b6f56ba7d546c4f101 100644 (file)
--- a/src/shared/data-fd-util.c
+++ b/src/shared/data-fd-util.c
@@ -339,7 +339,8 @@ finish:
 
 int memfd_clone_fd(int fd, const char *name, int mode) {
         _cleanup_close_ int mfd = -EBADF;
-        bool ro;
+        struct stat st;
+        bool ro, exec;
         int r;
 
         /* Creates a clone of a regular file in a memfd. Unlike copy_data_fd() this returns strictly a memfd
@@ -351,13 +352,18 @@ int memfd_clone_fd(int fd, const char *name, int mode) {
         assert(IN_SET(mode & O_ACCMODE, O_RDONLY, O_RDWR));
         assert((mode & ~(O_RDONLY|O_RDWR|O_CLOEXEC)) == 0);
 
+        if (fstat(fd, &st) < 0)
+                return -errno;
+
         ro = (mode & O_ACCMODE) == O_RDONLY;
+        exec = st.st_mode & 0111;
 
-        mfd = memfd_create(name,
-                           ((FLAGS_SET(mode, O_CLOEXEC) || ro) ? MFD_CLOEXEC : 0) |
-                           (ro ? MFD_ALLOW_SEALING : 0));
+        mfd = memfd_create_wrapper(name,
+                                   ((FLAGS_SET(mode, O_CLOEXEC) || ro) ? MFD_CLOEXEC : 0) |
+                                   (ro ? MFD_ALLOW_SEALING : 0) |
+                                   (exec ? MFD_EXEC : MFD_NOEXEC_SEAL));
         if (mfd < 0)
-                return -errno;
+                return mfd;
 
         r = copy_bytes(fd, mfd, UINT64_MAX, COPY_REFLINK);
         if (r < 0)

diff --git a/src/shared/serialize.c b/src/shared/serialize.c
index cd48286355715af6a845ceca08a56ac63b2001d4..9d1a21360fdc34552d574e0ad3f73094b9e472ed 100644 (file)
--- a/src/shared/serialize.c
+++ b/src/shared/serialize.c
@@ -6,6 +6,7 @@
 #include "env-util.h"
 #include "escape.h"
 #include "fileio.h"
+#include "memfd-util.h"
 #include "missing_mman.h"
 #include "missing_syscall.h"
 #include "parse-util.h"
@@ -197,7 +198,7 @@ int deserialize_environment(const char *value, char ***list) {
 int open_serialization_fd(const char *ident) {
         int fd;
 
-        fd = memfd_create(ident, MFD_CLOEXEC);
+        fd = memfd_create_wrapper(ident, MFD_CLOEXEC | MFD_NOEXEC_SEAL);
         if (fd < 0) {
                 const char *path;