From: Alejandro Colomar <alx@kernel.org>
To: Pratyush Yadav <pratyush@kernel.org>
Cc: David Hildenbrand <david@kernel.org>,
Daniel Verkamp <dverkamp@chromium.org>,
Jeff Xu <jeffxu@google.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Baolin Wang <baolin.wang@linux.alibaba.com>,
Hugh Dickins <hughd@google.com>,
linux-man@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH v2] man/man2const/F_{ADD,GET}_SEALS.2const: document F_SEAL_EXEC
Date: Tue, 2 Jun 2026 01:41:48 +0200 [thread overview]
Message-ID: <ah4YmXpL6rxHlo4r@devuan> (raw)
In-Reply-To: <20260529140557.1624507-1-pratyush@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 3362 bytes --]
Hi Pratyush,
On 2026-05-29T16:05:55+0200, Pratyush Yadav wrote:
> From: "Pratyush Yadav (Google)" <pratyush@kernel.org>
>
> F_SEAL_EXEC was added in Linux v6.3. It blocks changing of the exec bits
> once added. Document it.
>
> Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
> ---
>
> Notes:
> I discovered this was missing when working on [0]. I had to look at the
> code to figure out how it was supposed to behave.
>
> Changes in v2:
> - Re-write the documentation by hand.
>
> [0] https://lore.kernel.org/linux-mm/20260505133922.797635-1-pratyush@kernel.org/
Thanks! I've applied the patch, with a few minor tweaks:
diff --git i/man/man2const/F_GET_SEALS.2const w/man/man2const/F_GET_SEALS.2const
index f41e1748acd0..686a92fddefe 100644
--- i/man/man2const/F_GET_SEALS.2const
+++ w/man/man2const/F_GET_SEALS.2const
@@ -178,13 +178,15 @@ .SH DESCRIPTION
while sharing that buffer on a "read-only" basis with other processes.
.TP
.BR F_SEAL_EXEC " (since Linux 6.3)"
-If this seal is set, the execute mode bits of the file cannot be modified.
+If this seal is set,
+the execute mode bits of the file cannot be modified.
Attempting to change the execute mode bits via
.BR fchmod (2)
or similar will fail with
.BR EPERM .
-This results in a memfd that is either permanently executable or
-permanently un-executable.
+This results in a memfd that is
+either permanently executable
+or permanently not executable.
.IP
Adding this seal implicitly adds
.BR F_SEAL_GROW ,
@@ -193,7 +195,8 @@ .SH DESCRIPTION
and
.BR F_SEAL_FUTURE_WRITE .
This ensures that the executable code is not writeable.
-All the pre-requisites to add the implied seals must be met to successfully add
+All the pre-requisites to add the implied seals must be met
+to successfully add
.BR F_SEAL_EXEC .
.SH RETURN VALUE
.TP
Have a lovely night!
Alex
>
> man/man2const/F_GET_SEALS.2const | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/man/man2const/F_GET_SEALS.2const b/man/man2const/F_GET_SEALS.2const
> index 175025c10..f41e1748a 100644
> --- a/man/man2const/F_GET_SEALS.2const
> +++ b/man/man2const/F_GET_SEALS.2const
> @@ -176,6 +176,25 @@ will fail with
> Using this seal,
> one process can create a memory buffer that it can continue to modify
> while sharing that buffer on a "read-only" basis with other processes.
> +.TP
> +.BR F_SEAL_EXEC " (since Linux 6.3)"
> +If this seal is set, the execute mode bits of the file cannot be modified.
> +Attempting to change the execute mode bits via
> +.BR fchmod (2)
> +or similar will fail with
> +.BR EPERM .
> +This results in a memfd that is either permanently executable or
> +permanently un-executable.
> +.IP
> +Adding this seal implicitly adds
> +.BR F_SEAL_GROW ,
> +.BR F_SEAL_SHRINK ,
> +.BR F_SEAL_WRITE ,
> +and
> +.BR F_SEAL_FUTURE_WRITE .
> +This ensures that the executable code is not writeable.
> +All the pre-requisites to add the implied seals must be met to successfully add
> +.BR F_SEAL_EXEC .
> .SH RETURN VALUE
> .TP
> .B F_GET_SEALS
>
> base-commit: 9db8ca91f920b9aba40ed68de6b8da0ca9dbefaa
> --
> 2.54.0.1013.g208068f2d8-goog
>
>
--
<https://www.alejandro-colomar.es>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2026-06-01 23:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 14:05 [PATCH v2] man/man2const/F_{ADD,GET}_SEALS.2const: document F_SEAL_EXEC Pratyush Yadav
2026-06-01 23:41 ` Alejandro Colomar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ah4YmXpL6rxHlo4r@devuan \
--to=alx@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=dverkamp@chromium.org \
--cc=hughd@google.com \
--cc=jeffxu@google.com \
--cc=linux-man@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pasha.tatashin@soleen.com \
--cc=pratyush@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.