From: Jiri Olsa <olsajiri@gmail.com>
To: Daniel Xu <dxu@dxuuu.xyz>, Andrei Enache <andreien@proton.me>
Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net,
eddyz87@gmail.com, martin.lau@linux.dev, song@kernel.org,
yonghong.song@linux.dev, john.fastabend@gmail.com,
kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf-next] libbpf: Set MFD_NOEXEC_SEAL when creating memfd
Date: Mon, 30 Dec 2024 17:16:17 +0100 [thread overview]
Message-ID: <Z3LHUWH8YyKGgNX7@krava> (raw)
In-Reply-To: <6bf30e1a22d867af9145aa5e94c3fd9281a1c98d.1735508627.git.dxu@dxuuu.xyz>
On Sun, Dec 29, 2024 at 02:44:33PM -0700, Daniel Xu wrote:
> Since 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC"), the
> kernel has started printing a warning if neither MFD_NOEXEC_SEAL nor
> MFD_EXEC is set in memfd_create().
>
> To avoid this warning (and also be more secure), set MFD_NOEXEC_SEAL by
> default. But since libbpf can be running on potentially very old
> kernels, leave a fallback for kernels without MFD_NOEXEC_SEAL support.
>
> Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
there's similar change posted by Andrei already:
https://lore.kernel.org/bpf/eTid-pMaxx4d_gMkyFN6fgVGub01RRJYIl1SzTmRG7RtRlPUJOMrVfe2I1W8s0OBHBFy3UN2WGm_e6mak0nGcrZ4ZdxAYRUSDDcUSVMvNA4=@proton.me/T/#u
jirka
> ---
> tools/lib/bpf/libbpf.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 66173ddb5a2d..46492cc0927d 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -1731,12 +1731,24 @@ static int sys_memfd_create(const char *name, unsigned flags)
> #ifndef MFD_CLOEXEC
> #define MFD_CLOEXEC 0x0001U
> #endif
> +#ifndef MFD_NOEXEC_SEAL
> +#define MFD_NOEXEC_SEAL 0x0008U
> +#endif
>
> static int create_placeholder_fd(void)
> {
> + unsigned int flags = MFD_CLOEXEC | MFD_NOEXEC_SEAL;
> + const char *name = "libbpf-placeholder-fd";
> int fd;
>
> - fd = ensure_good_fd(sys_memfd_create("libbpf-placeholder-fd", MFD_CLOEXEC));
> + fd = ensure_good_fd(sys_memfd_create(name, flags));
> + if (fd >= 0)
> + return fd;
> + else if (errno != EINVAL)
> + return -errno;
> +
> + /* Possibly running on kernel without MFD_NOEXEC_SEAL */
> + fd = ensure_good_fd(sys_memfd_create(name, flags & ~MFD_NOEXEC_SEAL));
> if (fd < 0)
> return -errno;
> return fd;
> --
> 2.47.1
>
next prev parent reply other threads:[~2024-12-30 16:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-29 21:44 [PATCH bpf-next] libbpf: Set MFD_NOEXEC_SEAL when creating memfd Daniel Xu
2024-12-30 16:16 ` Jiri Olsa [this message]
2024-12-30 19:23 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z3LHUWH8YyKGgNX7@krava \
--to=olsajiri@gmail.com \
--cc=andreien@proton.me \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dxu@dxuuu.xyz \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox