MFD_NOEXEC_SEAL memfd

AntelopeIO · Jan 17, 2024 · 4985686 · 4985686
1 parent 07f105e
commit 4985686
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 5 deletions.
diff --git a/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/ipc_helpers.hpp b/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/ipc_helpers.hpp
@@ -1,13 +1,12 @@
 #pragma once
 
 #include <eosio/chain/webassembly/eos-vm-oc/ipc_protocol.hpp>
+#include <eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp>
 
 #include <boost/asio/local/datagram_protocol.hpp>
 
 #include <vector>
 
-#include <linux/memfd.h>
-
 namespace eosio { namespace chain { namespace eosvmoc {
 
 class wrapped_fd {
@@ -53,7 +52,7 @@ bool write_message_with_fds(int fd_to_send_to, const eosvmoc_message& message, c
 
 template<typename T>
 wrapped_fd memfd_for_bytearray(const T& bytes) {
-   int fd = memfd_create("eosvmoc_code", MFD_CLOEXEC);
+   int fd = exec_sealed_memfd_create("eosvmoc_code");
    FC_ASSERT(fd >= 0, "Failed to create memfd");
    FC_ASSERT(ftruncate(fd, bytes.size()) == 0, "failed to grow memfd");
    if(bytes.size()) {

diff --git a/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp b/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp
@@ -0,0 +1,21 @@
+#pragma once
+
+#include <linux/memfd.h>
+#include <sys/mman.h>
+
+namespace eosio::chain::eosvmoc {
+
+// added in glibc 2.38
+#ifndef MFD_NOEXEC_SEAL
+#define MFD_NOEXEC_SEAL 8U
+#endif
+
+inline int exec_sealed_memfd_create(const char* name) {
+   //kernels 6.3 through 6.6 by default warn when neither MFD_NOEXEC_SEAL nor MFD_EXEC are passed; optionally 6.3+
+   // may enforce MFD_NOEXEC_SEAL. Prior to 6.3 these flags will EINVAL.
+   if(int ret = memfd_create(name, MFD_CLOEXEC | MFD_NOEXEC_SEAL); ret >= 0 || errno != EINVAL)
+      return ret;
+   return memfd_create(name, MFD_CLOEXEC);
+}
+
+}
diff --git a/libraries/chain/webassembly/runtimes/eos-vm-oc/memory.cpp b/libraries/chain/webassembly/runtimes/eos-vm-oc/memory.cpp
@@ -1,19 +1,19 @@
 #include <eosio/chain/webassembly/eos-vm-oc/memory.hpp>
 #include <eosio/chain/webassembly/eos-vm-oc/intrinsic.hpp>
 #include <eosio/chain/webassembly/eos-vm-oc/intrinsic_mapping.hpp>
+#include <eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp>
 
 #include <fc/scoped_exit.hpp>
 
 #include <unistd.h>
 #include <sys/mman.h>
-#include <linux/memfd.h>
 
 namespace eosio { namespace chain { namespace eosvmoc {
 
 memory::memory(uint64_t sliced_pages) {
    uint64_t number_slices = sliced_pages + 1;
    uint64_t wasm_memory_size = sliced_pages * wasm_constraints::wasm_page_size;
-   int fd = memfd_create("eosvmoc_mem", MFD_CLOEXEC);
+   int fd = exec_sealed_memfd_create("eosvmoc_mem");
    FC_ASSERT(fd >= 0, "Failed to create memory memfd");
    auto cleanup_fd = fc::make_scoped_exit([&fd](){close(fd);});
    int ret = ftruncate(fd, wasm_memory_size+memory_prologue_size);