mirror of
https://github.com/morgan9e/systemd
synced 2026-04-15 17:06:39 +09:00
7a114ed4b3
On some ARM platforms, the dynamic linker could use PROT_BTI memory protection flag with `mprotect(..., PROT_BTI | PROT_EXEC)` to enable additional memory protection for executable pages. But `MemoryDenyWriteExecute=yes` blocks this with seccomp filter denying all `mprotect(..., x | PROT_EXEC)`. Newly preferred method is to use prctl(PR_SET_MDWE) on supported kernels. Then in-kernel implementation can allow PROT_BTI as necessary, without weakening MDWE. In-kernel version may also be extended to more sophisticated protections in the future.
23 lines
518 B
C
23 lines
518 B
C
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
#pragma once
|
|
|
|
#include <linux/prctl.h>
|
|
|
|
/* 58319057b7847667f0c9585b9de0e8932b0fdb08 (4.3) */
|
|
#ifndef PR_CAP_AMBIENT
|
|
#define PR_CAP_AMBIENT 47
|
|
|
|
#define PR_CAP_AMBIENT_IS_SET 1
|
|
#define PR_CAP_AMBIENT_RAISE 2
|
|
#define PR_CAP_AMBIENT_LOWER 3
|
|
#define PR_CAP_AMBIENT_CLEAR_ALL 4
|
|
#endif
|
|
|
|
/* b507808ebce23561d4ff8c2aa1fb949fe402bc61 (6.3) */
|
|
#ifndef PR_SET_MDWE
|
|
#define PR_SET_MDWE 65
|
|
#endif
|
|
#ifndef PR_MDWE_REFUSE_EXEC_GAIN
|
|
#define PR_MDWE_REFUSE_EXEC_GAIN 1
|
|
#endif
|