Re: [RFC PATCH v1 1/1] exec: seal system mappings

From: Oleg Nesterov
Date: Sat Oct 05 2024 - 16:21:14 EST


Sorry for the noise, forgot to mention...

On 10/04, jeffxu@xxxxxxxxxxxx wrote:
>
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1535,6 +1535,15 @@
> Permit 'security.evm' to be updated regardless of
> current integrity status.
>
> + exec.seal_system_mappings = [KNL]
> + Format: { never | always }
> + Seal system mappings: vdso, vvar, sigpage, uprobes,
> + vsyscall.
> + This overwrites KCONFIG CONFIG_SEAL_SYSTEM_MAPPINGS_*
> + - 'never': never seal system mappings.
> + - 'always': always seal system mappings.
> + If not specified or invalid, default is the KCONFIG value.

perhaps the documentation should also mention that this new parameter has
no effect if CONFIG_64BIT=n.

Oleg.