treewide: memfd_create: use exec flags

Use the flags MEMFD_EXEC or MEMFD_NOEXEC_SEAL as applicable. These warnings instruct the kernel wether the memfd is executable or not. Without specifying those flags the kernel will emit the following warning since version 6.3, commit 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC"): kernel: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=1 'systemd'
2025-01-26 14:04:03 +03:00 · 2023-03-14 03:42:23 +00:00 · 2023-03-14 03:42:23 +00:00 · c29715a8f7
commit c29715a8f7
parent ad62530ebb
4 changed files with 20 additions and 11 deletions
--- a/src/basic/memfd-util.c
+++ b/src/basic/memfd-util.c
@ -65,7 +65,7 @@ int memfd_new(const char *name) {
                }
        }

-        return RET_NERRNO(memfd_create(name, MFD_ALLOW_SEALING | MFD_CLOEXEC));
+        return memfd_create_wrapper(name, MFD_ALLOW_SEALING | MFD_CLOEXEC | MFD_NOEXEC_SEAL);
 }

 int memfd_map(int fd, uint64_t offset, size_t size, void **p) {
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@ -23,7 +23,9 @@
 #include "home-util.h"
 #include "homed-home-bus.h"
 #include "homed-home.h"
+#include "memfd-util.h"
 #include "missing_magic.h"
+#include "missing_mman.h"
 #include "missing_syscall.h"
 #include "mkdir.h"
 #include "path-util.h"
@ -1175,9 +1177,9 @@ static int home_start_work(Home *h, const char *verb, UserRecord *hr, UserRecord

        log_debug("Sending to worker: %s", formatted);

-        stdout_fd = memfd_create("homework-stdout", MFD_CLOEXEC);
+        stdout_fd = memfd_create_wrapper("homework-stdout", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
        if (stdout_fd < 0)
-                return -errno;
+                return stdout_fd;

        r = safe_fork_full("(sd-homework)",
                           (int[]) { stdin_fd, stdout_fd, STDERR_FILENO },
--- a/src/shared/data-fd-util.c
+++ b/src/shared/data-fd-util.c
@ -339,7 +339,8 @@ finish:

 int memfd_clone_fd(int fd, const char *name, int mode) {
        _cleanup_close_ int mfd = -EBADF;
-        bool ro;
+        struct stat st;
+        bool ro, exec;
        int r;

        /* Creates a clone of a regular file in a memfd. Unlike copy_data_fd() this returns strictly a memfd
@ -351,14 +352,19 @@ int memfd_clone_fd(int fd, const char *name, int mode) {
        assert(IN_SET(mode & O_ACCMODE, O_RDONLY, O_RDWR));
        assert((mode & ~(O_RDONLY|O_RDWR|O_CLOEXEC)) == 0);

-        ro = (mode & O_ACCMODE) == O_RDONLY;
-
-        mfd = memfd_create(name,
-                           ((FLAGS_SET(mode, O_CLOEXEC) || ro) ? MFD_CLOEXEC : 0) |
-                           (ro ? MFD_ALLOW_SEALING : 0));
-        if (mfd < 0)
+        if (fstat(fd, &st) < 0)
                return -errno;

+        ro = (mode & O_ACCMODE) == O_RDONLY;
+        exec = st.st_mode & 0111;
+
+        mfd = memfd_create_wrapper(name,
+                                   ((FLAGS_SET(mode, O_CLOEXEC) || ro) ? MFD_CLOEXEC : 0) |
+                                   (ro ? MFD_ALLOW_SEALING : 0) |
+                                   (exec ? MFD_EXEC : MFD_NOEXEC_SEAL));
+        if (mfd < 0)
+                return mfd;
+
        r = copy_bytes(fd, mfd, UINT64_MAX, COPY_REFLINK);
        if (r < 0)
                return r;
--- a/src/shared/serialize.c
+++ b/src/shared/serialize.c
@ -6,6 +6,7 @@
 #include "env-util.h"
 #include "escape.h"
 #include "fileio.h"
+#include "memfd-util.h"
 #include "missing_mman.h"
 #include "missing_syscall.h"
 #include "parse-util.h"
@ -197,7 +198,7 @@ int deserialize_environment(const char *value, char ***list) {
 int open_serialization_fd(const char *ident) {
        int fd;

-        fd = memfd_create(ident, MFD_CLOEXEC);
+        fd = memfd_create_wrapper(ident, MFD_CLOEXEC | MFD_NOEXEC_SEAL);
        if (fd < 0) {
                const char *path;