Re: [RFC PATCH v1 1/1] exec: seal system mappings

From: Oleg Nesterov
Date: Sat Oct 05 2024 - 16:21:14 EST

Next message: Nicolas Pitre: "Re: [PATCH net v3 2/2] net: ethernet: ti: am65-cpsw: avoid devm_alloc_etherdev, fix module removal"
Previous message: David Howells: "Re: [PATCH] Fix logically dead code"
In reply to: Jeff Xu: "Re: [RFC PATCH v1 1/1] exec: seal system mappings"
Next in thread: Jeff Xu: "Re: [RFC PATCH v1 1/1] exec: seal system mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry for the noise, forgot to mention...

On 10/04, jeffxu@xxxxxxxxxxxx wrote:
>
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1535,6 +1535,15 @@
> Permit 'security.evm' to be updated regardless of
> current integrity status.
>
> + exec.seal_system_mappings = [KNL]
> + Format: { never | always }
> + Seal system mappings: vdso, vvar, sigpage, uprobes,
> + vsyscall.
> + This overwrites KCONFIG CONFIG_SEAL_SYSTEM_MAPPINGS_*
> + - 'never': never seal system mappings.
> + - 'always': always seal system mappings.
> + If not specified or invalid, default is the KCONFIG value.

perhaps the documentation should also mention that this new parameter has
no effect if CONFIG_64BIT=n.

Oleg.

Next message: Nicolas Pitre: "Re: [PATCH net v3 2/2] net: ethernet: ti: am65-cpsw: avoid devm_alloc_etherdev, fix module removal"
Previous message: David Howells: "Re: [PATCH] Fix logically dead code"
In reply to: Jeff Xu: "Re: [RFC PATCH v1 1/1] exec: seal system mappings"
Next in thread: Jeff Xu: "Re: [RFC PATCH v1 1/1] exec: seal system mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]