memfd-util: set F_SEAL_EXEC flag if supported

diff --git a/src/basic/memfd-util.c b/src/basic/memfd-util.c
index 3e99ab04801c519ab93003fb61c10bf4c032b578..8e6946642b7b4e5809592bf1a380925a37d39efd 100644 (file)
--- a/src/basic/memfd-util.c
+++ b/src/basic/memfd-util.c
@@ -92,9 +92,15 @@ int memfd_map(int fd, uint64_t offset, size_t size, void **p) {
 }
 
 int memfd_set_sealed(int fd) {
+        int r;
+
         assert(fd >= 0);
 
-        return RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL));
+        r = RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_EXEC | F_SEAL_SEAL));
+        if (r == -EINVAL) /* old kernel ? */
+                r = RET_NERRNO(fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL));
+
+        return r;
 }
 
 int memfd_get_sealed(int fd) {