Lines Matching +full:we +full:- +full:on +full:- +full:ns
1 .. SPDX-License-Identifier: GPL-2.0
4 Introduction of non-executable mfd
17 However, in a secure-by-default system, such as ChromeOS, (where all
25 On the other hand, executable memfd has its legit use: runc uses memfd’s
27 execute them. For such a system, we need a solution to differentiate runc's
31 - Let memfd_create() set X bit at creation time.
32 - Let memfd be sealed for modifying X bit when NX is set.
33 - Add a new pid namespace sysctl: vm.memfd_noexec to help applications in
34 migrating and enforcing non-executable MFD.
60 - 0: MEMFD_NOEXEC_SCOPE_EXEC
64 - 1: MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL
68 - 2: MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED
73 vm.memfd_noexec=1 means the old software will create non-executable memfd
79 we will search from current ns to root ns and use the most restrictive
84 [2] https://bugs.chromium.org/p/chromium/issues/list?q=type%3Dbug-security%20memfd%20escalation&can…