From: Alejandro Colomar <alx@kernel.org>
To: Pratyush Yadav <pratyush@kernel.org>
Cc: David Hildenbrand <david@kernel.org>,
Daniel Verkamp <dverkamp@chromium.org>,
Jeff Xu <jeffxu@google.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Baolin Wang <baolin.wang@linux.alibaba.com>,
Hugh Dickins <hughd@google.com>,
linux-man@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH v2] man/man2const/F_{ADD,GET}_SEALS.2const: document F_SEAL_EXEC
Date: Tue, 2 Jun 2026 01:41:48 +0200 [thread overview]
Message-ID: <ah4YmXpL6rxHlo4r@devuan> (raw)
In-Reply-To: <20260529140557.1624507-1-pratyush@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 3362 bytes --]
Hi Pratyush,
On 2026-05-29T16:05:55+0200, Pratyush Yadav wrote:
> From: "Pratyush Yadav (Google)" <pratyush@kernel.org>
>
> F_SEAL_EXEC was added in Linux v6.3. It blocks changing of the exec bits
> once added. Document it.
>
> Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
> ---
>
> Notes:
> I discovered this was missing when working on [0]. I had to look at the
> code to figure out how it was supposed to behave.
>
> Changes in v2:
> - Re-write the documentation by hand.
>
> [0] https://lore.kernel.org/linux-mm/20260505133922.797635-1-pratyush@kernel.org/
Thanks! I've applied the patch, with a few minor tweaks:
diff --git i/man/man2const/F_GET_SEALS.2const w/man/man2const/F_GET_SEALS.2const
index f41e1748acd0..686a92fddefe 100644
--- i/man/man2const/F_GET_SEALS.2const
+++ w/man/man2const/F_GET_SEALS.2const
@@ -178,13 +178,15 @@ .SH DESCRIPTION
while sharing that buffer on a "read-only" basis with other processes.
.TP
.BR F_SEAL_EXEC " (since Linux 6.3)"
-If this seal is set, the execute mode bits of the file cannot be modified.
+If this seal is set,
+the execute mode bits of the file cannot be modified.
Attempting to change the execute mode bits via
.BR fchmod (2)
or similar will fail with
.BR EPERM .
-This results in a memfd that is either permanently executable or
-permanently un-executable.
+This results in a memfd that is
+either permanently executable
+or permanently not executable.
.IP
Adding this seal implicitly adds
.BR F_SEAL_GROW ,
@@ -193,7 +195,8 @@ .SH DESCRIPTION
and
.BR F_SEAL_FUTURE_WRITE .
This ensures that the executable code is not writeable.
-All the pre-requisites to add the implied seals must be met to successfully add
+All the pre-requisites to add the implied seals must be met
+to successfully add
.BR F_SEAL_EXEC .
.SH RETURN VALUE
.TP
Have a lovely night!
Alex
>
> man/man2const/F_GET_SEALS.2const | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/man/man2const/F_GET_SEALS.2const b/man/man2const/F_GET_SEALS.2const
> index 175025c10..f41e1748a 100644
> --- a/man/man2const/F_GET_SEALS.2const
> +++ b/man/man2const/F_GET_SEALS.2const
> @@ -176,6 +176,25 @@ will fail with
> Using this seal,
> one process can create a memory buffer that it can continue to modify
> while sharing that buffer on a "read-only" basis with other processes.
> +.TP
> +.BR F_SEAL_EXEC " (since Linux 6.3)"
> +If this seal is set, the execute mode bits of the file cannot be modified.
> +Attempting to change the execute mode bits via
> +.BR fchmod (2)
> +or similar will fail with
> +.BR EPERM .
> +This results in a memfd that is either permanently executable or
> +permanently un-executable.
> +.IP
> +Adding this seal implicitly adds
> +.BR F_SEAL_GROW ,
> +.BR F_SEAL_SHRINK ,
> +.BR F_SEAL_WRITE ,
> +and
> +.BR F_SEAL_FUTURE_WRITE .
> +This ensures that the executable code is not writeable.
> +All the pre-requisites to add the implied seals must be met to successfully add
> +.BR F_SEAL_EXEC .
> .SH RETURN VALUE
> .TP
> .B F_GET_SEALS
>
> base-commit: 9db8ca91f920b9aba40ed68de6b8da0ca9dbefaa
> --
> 2.54.0.1013.g208068f2d8-goog
>
>
--
<https://www.alejandro-colomar.es>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2026-06-01 23:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 14:05 [PATCH v2] man/man2const/F_{ADD,GET}_SEALS.2const: document F_SEAL_EXEC Pratyush Yadav
2026-06-01 23:41 ` Alejandro Colomar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ah4YmXpL6rxHlo4r@devuan \
--to=alx@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=dverkamp@chromium.org \
--cc=hughd@google.com \
--cc=jeffxu@google.com \
--cc=linux-man@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pasha.tatashin@soleen.com \
--cc=pratyush@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox