mirrors/foot
1
0
Fork 0
mirror of https://codeberg.org/dnkl/foot.git synced 2026-02-05 04:06:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

shm: if defined, set MFD_NOEXEC_SEAL flag for memfd_create

Browse source 
Effective from Linux 6.3.0 onward, this creates the memfd without
execute permissions and prevents that setting from ever being changed.

This is a defense-in-depth security measure and prevents a respective
kernel warning from being emitted.

See https://lwn.net/Articles/918106/ for more information.
This commit is contained in:
6t8k 2023-10-05 12:22:44 +02:00
parent 33a5a369f2
commit 61eb56dfda
No known key found for this signature in database
GPG key ID: 3D496371A6444D47
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
shm.c
View file

@ -330,8 +330,13 @@ get_new_buffers(struct buffer_chain *chain, size_t count,
struct buffer_pool *pool = NULL;
/* Backing memory for SHM */
#if defined(MFD_NOEXEC_SEAL)
#define FOOT_MFD_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_NOEXEC_SEAL)
#else
#define FOOT_MFD_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING)
#endif
#if defined(MEMFD_CREATE)
pool_fd = memfd_create("foot-wayland-shm-buffer-pool", MFD_CLOEXEC | MFD_ALLOW_SEALING);
pool_fd = memfd_create("foot-wayland-shm-buffer-pool", FOOT_MFD_FLAGS);
#elif defined(__FreeBSD__)
// memfd_create on FreeBSD 13 is SHM_ANON without sealing support
pool_fd = shm_open(SHM_ANON, O_RDWR | O_CLOEXEC, 0600);