Re: [PATCH v4 0/6] seccomp: non-cooperative pinned-memfd argument redirect

From: Mike Rapoport

Date: Sat Jun 27 2026 - 04:19:14 EST


On 2026-06-26 18:22 -0700, Cong Wang wrote:
> The seccomp user-notification SECCOMP_USER_NOTIF_FLAG_CONTINUE response
> carries an inherent TOCTOU: once the supervisor decides to let a syscall
> continue, the target (or a CLONE_VM peer) can rewrite the memory behind a
> pointer argument before the kernel reads it. This is documented in the
> UAPI header and is why the notifier "cannot be used to implement a
> security policy" today.
>
> ---
> Cong Wang (6):
> mm: add __do_mmap() and vm_mmap_seal_remote()
> seccomp: introduce SECCOMP_IOCTL_NOTIF_PIN_INSTALL
> seccomp: add kernel-installed pinned-memfd redirect
> seccomp: re-validate a redirected syscall against outer filters
> selftests/seccomp: cover non-cooperative pinned-memfd install
> docs/seccomp: document pinned-memfd redirect ioctls

This breaks VMA tests:
https://github.com/linux-mm/linux-mm/actions/runs/28274564619/job/83778604364