Lines Matching +full:allow +full:- +full:set +full:- +full:time

1 .. SPDX-License-Identifier: GPL-2.0
4 Introduction of non-executable mfd
14 execute bit set, and the memfd_create() syscall doesn't allow setting
17 However, in a secure-by-default system, such as ChromeOS, (where all
31  - Let memfd_create() set X bit at creation time.
32  - Let memfd be sealed for modifying X bit when NX is set.
33  - Add a new pid namespace sysctl: vm.memfd_noexec to help applications in
34    migrating and enforcing non-executable MFD.
41 	When MFD_NOEXEC_SEAL bit is set in the ``flags``, memfd is created
42 	with NX. F_SEAL_EXEC is set and the memfd can't be modified to
47 	When MFD_EXEC bit is set in the ``flags``, memfd is created with X.
60  - 0: MEMFD_NOEXEC_SCOPE_EXEC
62 	MFD_EXEC was set.
64  - 1: MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL
66 	MFD_NOEXEC_SEAL was set.
68  - 2: MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED
72 doesn't set the executable bit; for example, a container with
73 vm.memfd_noexec=1 means the old software will create non-executable memfd
78 time. In addition, the setting is hierarchical, i.e. during memfd_create,
84 [2] https://bugs.chromium.org/p/chromium/issues/list?q=type%3Dbug-security%20memfd%20escalation&can…