mseal.rst - OpenGrok cross reference for /linux-6.14.4/Documentation/userspace-api/mseal.rst

Lines Matching +full:protect +full:- +full:exec
1 .. SPDX-License-Identifier: GPL-2.0
17 such an attacker primitive can break control-flow integrity guarantees
18 since read-only memory that is supposed to be trusted can become writable
29 -----------------------
34          - The start address must be in an allocated VMA.
35          - The start address must be page aligned.
36          - The end address (**addr** + **len**) must be in an allocated VMA.
37          - no gap (unallocated memory) between start and end address.
44       - **0**: Success.
45       - **-EINVAL**:
49       - **-ENOMEM**:
53       - **-EPERM**:
54          * sealing is supported only on 64-bit CPUs, 32-bit is not supported.
57       - For above error cases, users can expect the given memory range is
59       - There might be other internal errors/cases not listed here, e.g.
65       mseal only works on 64-bit CPUs, not 32-bit CPUs.
69       is a no-action (not error).
77 -------------------------------------
90       - munmap
91       - mmap
92       - mremap
93       - mprotect and pkey_mprotect
94       - some destructive madvise behaviors: MADV_DONTNEED, MADV_FREE,
113    Kernel will return -EPERM for blocked syscalls.
115    When blocked syscall return -EPERM due to sealing, the memory regions may
118       - munmap: munmap is atomic. If one of VMAs in the given range is
120       - mprotect, pkey_mprotect, madvise: partial update might happen, e.g.
122         VMAs before reaching the sealed VMA and return -EPERM.
123       - mmap and mremap: undefined behavior.
127 - glibc:
131 - Chrome browser: protect some security sensitive data structures.
138 until the process terminates or the exec system call is invoked.
141    - aio/shm
148    - ptr allocated by malloc (heap)
154      non-deterministic.
176    - Write to read-only memory through /proc/self/mem interface (FOLL_FORCE).
177    - Write to read-only memory through ptrace (such as PTRACE_POKETEXT).
178    - userfaultfd.
185 - [1] https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/…
186 - [2] https://man.openbsd.org/mimmutable.2
187 - [3] https://lore.kernel.org/lkml/[email protected]…
188 - [4] https://docs.google.com/document/d/1O2jwK4dxI3nRcOJuPYkonhTkNQfbmwdvxQMyXgeaRHo/edit#heading=…