From: DreamConnected <1487442471@qq.com>
Date: Mon, 13 Oct 2025 11:48:21 +0000 (+0800)
Subject: add MFD_EXEC and MFD_NOEXEC_SEAL flag to memfd_create
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F4569%2Fhead;p=thirdparty%2Flxc.git

add MFD_EXEC and MFD_NOEXEC_SEAL flag to memfd_create

Signed-off-by: DreamConnected <1487442471@qq.com>
Co-Authored-By: Danny Lin <danny@kdrag0n.dev>
---

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 7533e2830..960bdefec 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2602,7 +2602,13 @@ FILE *make_anonymous_mount_file(const struct list_head *mount_entries,
 	int ret;
 	struct string_entry *entry;
 
-	fd = memfd_create(".lxc_mount_file", MFD_CLOEXEC);
+	fd = memfd_create(".lxc_mount_file", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
+
+	if (fd < 0 && errno == EINVAL) {
+		TRACE("MFD_NOEXEC_SEAL may unsupported, using MFD_CLOEXEC only");
+		fd = memfd_create(".lxc_mount_file", MFD_CLOEXEC);
+	}
+
 	if (fd < 0) {
 		char template[] = P_tmpdir "/.lxc_mount_file_XXXXXX";
 
@@ -3385,7 +3391,13 @@ static void turn_into_dependent_mounts(const struct lxc_rootfs *rootfs)
 		return;
 	}
 
-	memfd = memfd_create(".lxc_mountinfo", MFD_CLOEXEC);
+	memfd = memfd_create(".lxc_mountinfo", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
+
+	if (memfd < 0 && errno == EINVAL) {
+		TRACE("MFD_NOEXEC_SEAL may unsupported, using MFD_CLOEXEC only");
+		memfd = memfd_create(".lxc_mountinfo", MFD_CLOEXEC);
+	}
+
 	if (memfd < 0) {
 		char template[] = P_tmpdir "/.lxc_mountinfo_XXXXXX";
 
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index ae984c1fe..d8e12d683 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -401,6 +401,14 @@
 #define MFD_ALLOW_SEALING 0x0002U
 #endif
 
+#ifndef MFD_NOEXEC_SEAL
+#define MFD_NOEXEC_SEAL 0x0008U
+#endif
+
+#ifndef MFD_EXEC
+#define MFD_EXEC 0x0010U
+#endif
+
 /**
  * BUILD_BUG_ON - break compile if a condition is true.
  * @condition: the condition which the compiler should know is false.
diff --git a/src/lxc/parse.c b/src/lxc/parse.c
index c174de96c..fa9f5992f 100644
--- a/src/lxc/parse.c
+++ b/src/lxc/parse.c
@@ -56,7 +56,13 @@ int lxc_file_for_each_line_mmap(const char *file, lxc_file_cb callback, void *da
 	ssize_t bytes;
 	char *line;
 
-	memfd = memfd_create(".lxc_config_file", MFD_CLOEXEC);
+	memfd = memfd_create(".lxc_config_file", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
+
+	if (memfd < 0 && errno == EINVAL) {
+		TRACE("MFD_NOEXEC_SEAL may unsupported, using MFD_CLOEXEC only");
+		memfd = memfd_create(".lxc_config_file", MFD_CLOEXEC);
+	}
+
 	if (memfd < 0) {
 		char template[] = P_tmpdir "/.lxc_config_file_XXXXXX";
 
diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c
index f2802c2fa..73f649c1d 100644
--- a/src/lxc/rexec.c
+++ b/src/lxc/rexec.c
@@ -15,6 +15,9 @@
 #include "rexec.h"
 #include "string_utils.h"
 #include "syscall_wrappers.h"
+#include "log.h"
+
+lxc_log_define(rexec, lxc);
 
 #define LXC_MEMFD_REXEC_SEALS \
 	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
@@ -98,7 +101,13 @@ static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name)
 	ssize_t bytes_sent = 0;
 	struct stat st = {0};
 
-	memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC);
+	memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC | MFD_EXEC);
+
+	if (memfd < 0 && errno == EINVAL) {
+		TRACE("MFD_EXEC may unsupported, using MFD_ALLOW_SEALING and MFD_CLOEXEC");
+		memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC);
+	}
+	
 	if (memfd < 0) {
 		char template[PATH_MAX];
 
diff --git a/src/lxc/ringbuf.c b/src/lxc/ringbuf.c
index 37ffc8f39..b7a01cf4b 100644
--- a/src/lxc/ringbuf.c
+++ b/src/lxc/ringbuf.c
@@ -11,10 +11,13 @@
 #include <sys/mman.h>
 #include <unistd.h>
 
+#include "log.h"
 #include "ringbuf.h"
 #include "syscall_wrappers.h"
 #include "utils.h"
 
+lxc_log_define(ringbuf, lxc);
+
 int lxc_ringbuf_create(struct lxc_ringbuf *buf, size_t size)
 {
 	__do_close int memfd = -EBADF;
@@ -34,7 +37,13 @@ int lxc_ringbuf_create(struct lxc_ringbuf *buf, size_t size)
 	if (buf->addr == MAP_FAILED)
 		return -EINVAL;
 
-	memfd = memfd_create(".lxc_ringbuf", MFD_CLOEXEC);
+	memfd = memfd_create(".lxc_ringbuf", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
+
+	if (memfd < 0 && errno == EINVAL) {
+		TRACE("MFD_NOEXEC_SEAL may unsupported, using MFD_CLOEXEC only");
+		memfd = memfd_create(".lxc_ringbuf", MFD_CLOEXEC);
+	}
+
 	if (memfd < 0) {
 		char template[] = P_tmpdir "/.lxc_ringbuf_XXXXXX";