[PATCH] man/man2const/F_{ADD,GET}_SEALS.2const: document F_SEAL_EXEC

[PATCH] man/man2const/F_{ADD,GET}_SEALS.2const: document F_SEAL_EXEC

[Pratyush Yadav]

From: "Pratyush Yadav (Google)" <pratyush@kernel.org>

F_SEAL_EXEC was added in Linux v6.3. It seals the exec bits of the
memfd. Document it.

Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
---

Notes:
    I discovered this was missing when working on [0]. I had to look at the
    code to figure out how it was supposed to behave.
    
    Disclaimer: I used help from Gemini to write this patch, mainly because
    I don't know the man page syntax. If the man-pages project also uses the
    AI-assisted tags as Linux, feel free to add:
    
    Assisted-by: Gemini:gemini-3.1-pro
    
    [0] https://lore.kernel.org/linux-mm/20260505133922.797635-1-pratyush@kernel.org/

 man/man2const/F_GET_SEALS.2const | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/man/man2const/F_GET_SEALS.2const b/man/man2const/F_GET_SEALS.2const
index 175025c10..2de8009a8 100644
--- a/man/man2const/F_GET_SEALS.2const
+++ b/man/man2const/F_GET_SEALS.2const
@@ -176,6 +176,25 @@ will fail with
 Using this seal,
 one process can create a memory buffer that it can continue to modify
 while sharing that buffer on a "read-only" basis with other processes.
+.TP
+.BR F_SEAL_EXEC " (since Linux 6.3)"
+If this seal is set, the execute bits in the file mode cannot be modified.
+Any attempt to modify these bits via
+.BR chmod (2),
+.BR fchmod (2),
+or similar calls will fail with
+.BR EPERM .
+This preserves the execute bits as they were at the time of sealing,
+making the file either permanently executable or permanently unexecutable.
+.IP
+If this seal is applied to a file that is already executable,
+the kernel also implicitly applies
+.BR F_SEAL_SHRINK ,
+.BR F_SEAL_GROW ,
+.BR F_SEAL_WRITE ,
+and
+.BR F_SEAL_FUTURE_WRITE ,
+preventing any further modifications to the contents of the file.
 .SH RETURN VALUE
 .TP
 .B F_GET_SEALS

base-commit: 9db8ca91f920b9aba40ed68de6b8da0ca9dbefaa
-- 
2.54.0.1013.g208068f2d8-goog

Re: [PATCH] man/man2const/F_{ADD,GET}_SEALS.2const: document F_SEAL_EXEC

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 3296 bytes --]

Hi Pratyush,

On 2026-05-29T14:40:44+0200, Pratyush Yadav wrote:
> From: "Pratyush Yadav (Google)" <pratyush@kernel.org>
> 
> F_SEAL_EXEC was added in Linux v6.3. It seals the exec bits of the
> memfd. Document it.
> 
> Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
> ---
> 
> Notes:
>     I discovered this was missing when working on [0]. I had to look at the
>     code to figure out how it was supposed to behave.
>     
>     Disclaimer: I used help from Gemini to write this patch, mainly because
>     I don't know the man page syntax. If the man-pages project also uses the
>     AI-assisted tags as Linux, feel free to add:
>     
>     Assisted-by: Gemini:gemini-3.1-pro

	$ head -n13 CONTRIBUTING.d/ai 
	Name
		AI - artificial intelligence policy

	Description
		It is expressly forbidden to contribute to this project any
		content that has been created or derived with the assistance of
		AI tools.

		This includes AI assistive tools used in the contributing
		process, even if such tools do not directly generate the
		contributed code but are used to derive the contribution.  For
		example, AI linters, AI static analyzers, and AI tools that
		summarize input are forbidden.

If you only used it for formatting, and the text is entirely yours, I
guess you'll be able to write it again from scratch easily (it's not
a lot of text, anyway).

To proceed clean, you should remove the patch entirely, and write it
again from scratch, only looking at surrounding code and other pages,
but not looking at the contaminated patch.

If you have any doubts about the man(7) language, I can help, or even
fix things for you (as long as it's reasonably easy to do so).

Thanks!


Have a lovely day!
Alex

>     
>     [0] https://lore.kernel.org/linux-mm/20260505133922.797635-1-pratyush@kernel.org/
> 
>  man/man2const/F_GET_SEALS.2const | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/man/man2const/F_GET_SEALS.2const b/man/man2const/F_GET_SEALS.2const
> index 175025c10..2de8009a8 100644
> --- a/man/man2const/F_GET_SEALS.2const
> +++ b/man/man2const/F_GET_SEALS.2const
> @@ -176,6 +176,25 @@ will fail with
>  Using this seal,
>  one process can create a memory buffer that it can continue to modify
>  while sharing that buffer on a "read-only" basis with other processes.
> +.TP
> +.BR F_SEAL_EXEC " (since Linux 6.3)"
> +If this seal is set, the execute bits in the file mode cannot be modified.
> +Any attempt to modify these bits via
> +.BR chmod (2),
> +.BR fchmod (2),
> +or similar calls will fail with
> +.BR EPERM .
> +This preserves the execute bits as they were at the time of sealing,
> +making the file either permanently executable or permanently unexecutable.
> +.IP
> +If this seal is applied to a file that is already executable,
> +the kernel also implicitly applies
> +.BR F_SEAL_SHRINK ,
> +.BR F_SEAL_GROW ,
> +.BR F_SEAL_WRITE ,
> +and
> +.BR F_SEAL_FUTURE_WRITE ,
> +preventing any further modifications to the contents of the file.
>  .SH RETURN VALUE
>  .TP
>  .B F_GET_SEALS
> 
> base-commit: 9db8ca91f920b9aba40ed68de6b8da0ca9dbefaa
> -- 
> 2.54.0.1013.g208068f2d8-goog
> 
> 

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] man/man2const/F_{ADD,GET}_SEALS.2const: document F_SEAL_EXEC

[Pratyush Yadav]

On Fri, May 29 2026, Alejandro Colomar wrote:

> Hi Pratyush,
>
> On 2026-05-29T14:40:44+0200, Pratyush Yadav wrote:
>> From: "Pratyush Yadav (Google)" <pratyush@kernel.org>
>> 
>> F_SEAL_EXEC was added in Linux v6.3. It seals the exec bits of the
>> memfd. Document it.
>> 
>> Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
>> ---
>> 
>> Notes:
>>     I discovered this was missing when working on [0]. I had to look at the
>>     code to figure out how it was supposed to behave.
>>     
>>     Disclaimer: I used help from Gemini to write this patch, mainly because
>>     I don't know the man page syntax. If the man-pages project also uses the
>>     AI-assisted tags as Linux, feel free to add:
>>     
>>     Assisted-by: Gemini:gemini-3.1-pro
>
> 	$ head -n13 CONTRIBUTING.d/ai 
> 	Name
> 		AI - artificial intelligence policy
>
> 	Description
> 		It is expressly forbidden to contribute to this project any
> 		content that has been created or derived with the assistance of
> 		AI tools.
>
> 		This includes AI assistive tools used in the contributing
> 		process, even if such tools do not directly generate the
> 		contributed code but are used to derive the contribution.  For
> 		example, AI linters, AI static analyzers, and AI tools that
> 		summarize input are forbidden.

Oh, well, that's a bummer :-(. I do understand the concerns, especially
the copyright one, but unfortunately I'm bummed about redoing an
otherwise perfectly good patch. These AI tools do make this sort of
stuff a tad bit easier.

Anyway, as you say, the amount of text is relatively small so I can redo
it by hand.

>
> If you only used it for formatting, and the text is entirely yours, I
> guess you'll be able to write it again from scratch easily (it's not
> a lot of text, anyway).
>
> To proceed clean, you should remove the patch entirely, and write it
> again from scratch, only looking at surrounding code and other pages,
> but not looking at the contaminated patch.
>
> If you have any doubts about the man(7) language, I can help, or even
> fix things for you (as long as it's reasonably easy to do so).
>
> Thanks!
>
>
> Have a lovely day!
> Alex

-- 
Regards,
Pratyush Yadav