From c29715a8f77d96cd731b4a3083b3a852b3b61eb8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Tue, 14 Mar 2023 03:42:23 +0000 Subject: [PATCH] treewide: memfd_create: use exec flags Use the flags MEMFD_EXEC or MEMFD_NOEXEC_SEAL as applicable. These warnings instruct the kernel wether the memfd is executable or not. Without specifying those flags the kernel will emit the following warning since version 6.3, commit 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC"): kernel: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=1 'systemd' --- src/basic/memfd-util.c | 2 +- src/home/homed-home.c | 6 ++++-- src/shared/data-fd-util.c | 16 +++++++++++----- src/shared/serialize.c | 3 ++- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/src/basic/memfd-util.c b/src/basic/memfd-util.c index 99df236e7db..285abd41d3a 100644 --- a/src/basic/memfd-util.c +++ b/src/basic/memfd-util.c @@ -65,7 +65,7 @@ int memfd_new(const char *name) { } } - return RET_NERRNO(memfd_create(name, MFD_ALLOW_SEALING | MFD_CLOEXEC)); + return memfd_create_wrapper(name, MFD_ALLOW_SEALING | MFD_CLOEXEC | MFD_NOEXEC_SEAL); } int memfd_map(int fd, uint64_t offset, size_t size, void **p) { diff --git a/src/home/homed-home.c b/src/home/homed-home.c index 413fcf17730..6e9cfd27767 100644 --- a/src/home/homed-home.c +++ b/src/home/homed-home.c @@ -23,7 +23,9 @@ #include "home-util.h" #include "homed-home-bus.h" #include "homed-home.h" +#include "memfd-util.h" #include "missing_magic.h" +#include "missing_mman.h" #include "missing_syscall.h" #include "mkdir.h" #include "path-util.h" @@ -1175,9 +1177,9 @@ static int home_start_work(Home *h, const char *verb, UserRecord *hr, UserRecord log_debug("Sending to worker: %s", formatted); - stdout_fd = memfd_create("homework-stdout", MFD_CLOEXEC); + stdout_fd = memfd_create_wrapper("homework-stdout", MFD_CLOEXEC | MFD_NOEXEC_SEAL); if (stdout_fd < 0) - return -errno; + return stdout_fd; r = safe_fork_full("(sd-homework)", (int[]) { stdin_fd, stdout_fd, STDERR_FILENO }, diff --git a/src/shared/data-fd-util.c b/src/shared/data-fd-util.c index 0dbf89293f7..4831682a020 100644 --- a/src/shared/data-fd-util.c +++ b/src/shared/data-fd-util.c @@ -339,7 +339,8 @@ finish: int memfd_clone_fd(int fd, const char *name, int mode) { _cleanup_close_ int mfd = -EBADF; - bool ro; + struct stat st; + bool ro, exec; int r; /* Creates a clone of a regular file in a memfd. Unlike copy_data_fd() this returns strictly a memfd @@ -351,13 +352,18 @@ int memfd_clone_fd(int fd, const char *name, int mode) { assert(IN_SET(mode & O_ACCMODE, O_RDONLY, O_RDWR)); assert((mode & ~(O_RDONLY|O_RDWR|O_CLOEXEC)) == 0); + if (fstat(fd, &st) < 0) + return -errno; + ro = (mode & O_ACCMODE) == O_RDONLY; + exec = st.st_mode & 0111; - mfd = memfd_create(name, - ((FLAGS_SET(mode, O_CLOEXEC) || ro) ? MFD_CLOEXEC : 0) | - (ro ? MFD_ALLOW_SEALING : 0)); + mfd = memfd_create_wrapper(name, + ((FLAGS_SET(mode, O_CLOEXEC) || ro) ? MFD_CLOEXEC : 0) | + (ro ? MFD_ALLOW_SEALING : 0) | + (exec ? MFD_EXEC : MFD_NOEXEC_SEAL)); if (mfd < 0) - return -errno; + return mfd; r = copy_bytes(fd, mfd, UINT64_MAX, COPY_REFLINK); if (r < 0) diff --git a/src/shared/serialize.c b/src/shared/serialize.c index cd482863557..9d1a21360fd 100644 --- a/src/shared/serialize.c +++ b/src/shared/serialize.c @@ -6,6 +6,7 @@ #include "env-util.h" #include "escape.h" #include "fileio.h" +#include "memfd-util.h" #include "missing_mman.h" #include "missing_syscall.h" #include "parse-util.h" @@ -197,7 +198,7 @@ int deserialize_environment(const char *value, char ***list) { int open_serialization_fd(const char *ident) { int fd; - fd = memfd_create(ident, MFD_CLOEXEC); + fd = memfd_create_wrapper(ident, MFD_CLOEXEC | MFD_NOEXEC_SEAL); if (fd < 0) { const char *path; -- 2.47.3