Re: [RFC PATCH v1 1/1] exec: seal system mappings

From: Jeff Xu
Date: Mon Oct 07 2024 - 11:00:12 EST


On Sat, Oct 5, 2024 at 1:21 PM Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
>
> Sorry for the noise, forgot to mention...
>
> On 10/04, jeffxu@xxxxxxxxxxxx wrote:
> >
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -1535,6 +1535,15 @@
> > Permit 'security.evm' to be updated regardless of
> > current integrity status.
> >
> > + exec.seal_system_mappings = [KNL]
> > + Format: { never | always }
> > + Seal system mappings: vdso, vvar, sigpage, uprobes,
> > + vsyscall.
> > + This overwrites KCONFIG CONFIG_SEAL_SYSTEM_MAPPINGS_*
> > + - 'never': never seal system mappings.
> > + - 'always': always seal system mappings.
> > + If not specified or invalid, default is the KCONFIG value.
>
> perhaps the documentation should also mention that this new parameter has
> no effect if CONFIG_64BIT=n.
Good point, I will add that.

Thanks

>
> Oleg.
>