common: Mark our memfds as non-executable #19823
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
FTR, current Python 3.12 does not expose these new constants yet. But we also only use |
|
Ugh, fails on aarch64 at least. Update: Fixed. |
martinpitt
force-pushed
the
memfd-noexec
branch
from
088b836
to
e771331
Compare
|
I've seen this udisks crash a lot, let's see if I can find out something more about it locally. |
allisonkarlitskaya
requested changes
Jan 9, 2024
|
@allisonkarlitskaya no, it was not a typo, but deliberate (I had a version with 8, but then discarded it). See replies above. |
martinpitt
force-pushed
the
memfd-noexec
branch
from
e771331
to
d791202
Compare
We only ever use them to store data. Recent Linux kernels now encourage explicitly declaring whether a memfd is supposed to be executable [1]. This avoids an unsightly warning at boot: > login: [ 85.637785] cockpit-tls[1176]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set Older kernel releases don't know about that flag yet, so add some ifdeffery and runtime fallback. We need to support building for a new distro/include files, but running on an older kernel. [1] https://lwn.net/Articles/918106/
martinpitt
force-pushed
the
memfd-noexec
branch
from
d791202
to
7cc6503
Compare
allisonkarlitskaya
approved these changes
Jan 9, 2024
|
Eww, what happened to this aarch64 run.. retrying, can't hurt here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We only ever use them to store data. Recent Linux kernels now encourage explicitly declaring whether a memfd is supposed to be executable [1]. This avoids an unsightly warning at boot:
Older kernel releases don't know about that flag yet, so add some ifdeffery and runtime fallback. We need to support building for a new distro/include files, but running on an older kernel.
[1] https://lwn.net/Articles/918106/
You can see this with
bots/vm-run fedora-39