€•	Å      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ'/translations/zh_CN/userspace-api/mseal”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/zh_TW/userspace-api/mseal”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/it_IT/userspace-api/mseal”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/ja_JP/userspace-api/mseal”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/ko_KR/userspace-api/mseal”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/sp_SP/userspace-api/mseal”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒA/var/lib/git/docbuild/linux/Documentation/userspace-api/mseal.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒIntroduction of mseal”h]”hŒIntroduction of mseal”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒ
field_list”“”)”}”(hhh]”hŒfield”“”)”}”(hhh]”(hŒ
field_name”“”)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hhÕhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhhÐhŸh³h K ubhŒ
field_body”“”)”}”(hŒJeff Xu <jeffxu@chromium.org>
”h]”hŒ	paragraph”“”)”}”(hŒJeff Xu <jeffxu@chromium.org>”h]”(hŒ	Jeff Xu <”…””}”(hhëhžhhŸNh NubhŒ	reference”“”)”}”(hŒjeffxu@chromium.org”h]”hŒjeffxu@chromium.org”…””}”(hhõhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:jeffxu@chromium.org”uh1hóhhëubhŒ>”…””}”(hhëhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Khhåubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhhÐubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÎhŸh³h KhhËhžhubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhh¶hžhhŸh³h Kubhê)”}”(hX-  Modern CPUs support memory permissions such as RW and NX bits. The memory
permission feature improves security stance on memory corruption bugs, i.e.
the attacker canâ€™t just write to arbitrary memory and point the code to it,
the memory has to be marked with X bit, or else an exception will happen.”h]”hX-  Modern CPUs support memory permissions such as RW and NX bits. The memory
permission feature improves security stance on memory corruption bugs, i.e.
the attacker canâ€™t just write to arbitrary memory and point the code to it,
the memory has to be marked with X bit, or else an exception will happen.”…””}”(hj!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K	hh¶hžhubhê)”}”(hX0  Memory sealing additionally protects the mapping itself against
modifications. This is useful to mitigate memory corruption issues where a
corrupted pointer is passed to a memory management system. For example,
such an attacker primitive can break control-flow integrity guarantees
since read-only memory that is supposed to be trusted can become writable
or .text pages can get remapped. Memory sealing can automatically be
applied by the runtime loader to seal .text and .rodata pages and
applications can additionally seal security critical data at runtime.”h]”hX0  Memory sealing additionally protects the mapping itself against
modifications. This is useful to mitigate memory corruption issues where a
corrupted pointer is passed to a memory management system. For example,
such an attacker primitive can break control-flow integrity guarantees
since read-only memory that is supposed to be trusted can become writable
or .text pages can get remapped. Memory sealing can automatically be
applied by the runtime loader to seal .text and .rodata pages and
applications can additionally seal security critical data at runtime.”…””}”(hj/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Khh¶hžhubhê)”}”(hŒ‡A similar feature already exists in the XNU kernel with the
VM_FLAGS_PERMANENT flag [1] and on OpenBSD with the mimmutable syscall [2].”h]”hŒ‡A similar feature already exists in the XNU kernel with the
VM_FLAGS_PERMANENT flag [1] and on OpenBSD with the mimmutable syscall [2].”…””}”(hj=  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Khh¶hžhubhµ)”}”(hhh]”(hº)”}”(hŒSYSCALL”h]”hŒSYSCALL”…””}”(hjN  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjK  hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒmseal syscall signature”h]”hŒmseal syscall signature”…””}”(hj_  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj\  hžhhŸh³h KubhŒblock_quote”“”)”}”(hX"  ``int mseal(void *addr, size_t len, unsigned long flags)``

**addr**/**len**: virtual memory address range.
   The address range set by **addr**/**len** must meet:
      - The start address must be in an allocated VMA.
      - The start address must be page aligned.
      - The end address (**addr** + **len**) must be in an allocated VMA.
      - no gap (unallocated memory) between start and end address.

   The ``len`` will be paged aligned implicitly by the kernel.

**flags**: reserved for future use.

**Return values**:
   - **0**: Success.
   - **-EINVAL**:
      * Invalid input ``flags``.
      * The start address (``addr``) is not page aligned.
      * Address range (``addr`` + ``len``) overflow.
   - **-ENOMEM**:
      * The start address (``addr``) is not allocated.
      * The end address (``addr`` + ``len``) is not allocated.
      * A gap (unallocated memory) between start and end address.
   - **-EPERM**:
      * sealing is supported only on 64-bit CPUs, 32-bit is not supported.

**Note about error return**:
   - For above error cases, users can expect the given memory range is
     unmodified, i.e. no partial update.
   - There might be other internal errors/cases not listed here, e.g.
     error during merging/splitting VMAs, or the process reaching the maximum
     number of supported VMAs. In those cases, partial updates to the given
     memory range could happen. However, those cases should be rare.

**Architecture support**:
   mseal only works on 64-bit CPUs, not 32-bit CPUs.

**Idempotent**:
   users can call mseal multiple times. mseal on an already sealed memory
   is a no-action (not error).

**no munseal**
   Once mapping is sealed, it can't be unsealed. The kernel should never
   have munseal, this is consistent with other sealing feature, e.g.
   F_SEAL_SEAL for file.
”h]”(hê)”}”(hŒ:``int mseal(void *addr, size_t len, unsigned long flags)``”h]”hŒliteral”“”)”}”(hju  h]”hŒ6int mseal(void *addr, size_t len, unsigned long flags)”…””}”(hjy  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hjs  ubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Khjo  ubhŒdefinition_list”“”)”}”(hhh]”hŒdefinition_list_item”“”)”}”(hXŠ  **addr**/**len**: virtual memory address range.
The address range set by **addr**/**len** must meet:
   - The start address must be in an allocated VMA.
   - The start address must be page aligned.
   - The end address (**addr** + **len**) must be in an allocated VMA.
   - no gap (unallocated memory) between start and end address.

The ``len`` will be paged aligned implicitly by the kernel.
”h]”(hŒterm”“”)”}”(hŒ/**addr**/**len**: virtual memory address range.”h]”(hŒstrong”“”)”}”(hŒ**addr**”h]”hŒaddr”…””}”(hjŸ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj™  ubhŒ/”…””}”(hj™  hžhhŸNh Nubjž  )”}”(hŒ**len**”h]”hŒlen”…””}”(hj±  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj™  ubhŒ: virtual memory address range.”…””}”(hj™  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K'hj“  ubhŒ
definition”“”)”}”(hhh]”(j  )”}”(hhh]”j’  )”}”(hX  The address range set by **addr**/**len** must meet:
- The start address must be in an allocated VMA.
- The start address must be page aligned.
- The end address (**addr** + **len**) must be in an allocated VMA.
- no gap (unallocated memory) between start and end address.
”h]”(j˜  )”}”(hŒ4The address range set by **addr**/**len** must meet:”h]”(hŒThe address range set by ”…””}”(hjÕ  hžhhŸNh Nubjž  )”}”(hŒ**addr**”h]”hŒaddr”…””}”(hjÝ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÕ  ubhŒ/”…””}”(hjÕ  hžhhŸNh Nubjž  )”}”(hŒ**len**”h]”hŒlen”…””}”(hjï  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÕ  ubhŒ must meet:”…””}”(hjÕ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K%hjÑ  ubjÊ  )”}”(hhh]”hŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒ.The start address must be in an allocated VMA.”h]”hê)”}”(hj  h]”hŒ.The start address must be in an allocated VMA.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K"hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubj  )”}”(hŒ'The start address must be page aligned.”h]”hê)”}”(hj*  h]”hŒ'The start address must be page aligned.”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K#hj(  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubj  )”}”(hŒAThe end address (**addr** + **len**) must be in an allocated VMA.”h]”hê)”}”(hjA  h]”(hŒThe end address (”…””}”(hjC  hžhhŸNh Nubjž  )”}”(hŒ**addr**”h]”hŒaddr”…””}”(hjJ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjC  ubhŒ + ”…””}”(hjC  hžhhŸNh Nubjž  )”}”(hŒ**len**”h]”hŒlen”…””}”(hj\  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjC  ubhŒ) must be in an allocated VMA.”…””}”(hjC  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K$hj?  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubj  )”}”(hŒ;no gap (unallocated memory) between start and end address.
”h]”hê)”}”(hŒ:no gap (unallocated memory) between start and end address.”h]”hŒ:no gap (unallocated memory) between start and end address.”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K%hjz  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j
  hŸh³h K"hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hjÑ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K%hjÎ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŒ  hjË  ubhê)”}”(hŒ;The ``len`` will be paged aligned implicitly by the kernel.”h]”(hŒThe ”…””}”(hj¬  hžhhŸNh Nubjx  )”}”(hŒ``len``”h]”hŒlen”…””}”(hj´  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hj¬  ubhŒ0 will be paged aligned implicitly by the kernel.”…””}”(hj¬  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K'hjË  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hj“  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K'hjŽ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŒ  hjo  ubhê)”}”(hŒ#**flags**: reserved for future use.”h]”(jž  )”}”(hŒ	**flags**”h]”hŒflags”…””}”(hjâ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÞ  ubhŒ: reserved for future use.”…””}”(hjÞ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K)hjo  ubj  )”}”(hhh]”(j’  )”}”(hXÏ  **Return values**:
- **0**: Success.
- **-EINVAL**:
   * Invalid input ``flags``.
   * The start address (``addr``) is not page aligned.
   * Address range (``addr`` + ``len``) overflow.
- **-ENOMEM**:
   * The start address (``addr``) is not allocated.
   * The end address (``addr`` + ``len``) is not allocated.
   * A gap (unallocated memory) between start and end address.
- **-EPERM**:
   * sealing is supported only on 64-bit CPUs, 32-bit is not supported.
”h]”(j˜  )”}”(hŒ**Return values**:”h]”(jž  )”}”(hŒ**Return values**”h]”hŒReturn values”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K6hjý  ubjÊ  )”}”(hhh]”j  )”}”(hhh]”(j  )”}”(hŒ**0**: Success.”h]”hê)”}”(hj%  h]”(jž  )”}”(hŒ**0**”h]”hŒ0”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj'  ubhŒ
: Success.”…””}”(hj'  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K,hj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj   ubj  )”}”(hŒ**-EINVAL**:
 * Invalid input ``flags``.
 * The start address (``addr``) is not page aligned.
 * Address range (``addr`` + ``len``) overflow.”h]”j  )”}”(hhh]”j’  )”}”(hŒŠ**-EINVAL**:
* Invalid input ``flags``.
* The start address (``addr``) is not page aligned.
* Address range (``addr`` + ``len``) overflow.”h]”(j˜  )”}”(hŒ**-EINVAL**:”h]”(jž  )”}”(hŒ**-EINVAL**”h]”hŒ-EINVAL”…””}”(hjW  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjS  ubhŒ:”…””}”(hjS  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K/hjO  ubjÊ  )”}”(hhh]”j  )”}”(hhh]”(j  )”}”(hŒInvalid input ``flags``.”h]”hê)”}”(hjw  h]”(hŒInvalid input ”…””}”(hjy  hžhhŸNh Nubjx  )”}”(hŒ	``flags``”h]”hŒflags”…””}”(hj€  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hjy  ubhŒ.”…””}”(hjy  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K.hju  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjr  ubj  )”}”(hŒ1The start address (``addr``) is not page aligned.”h]”hê)”}”(hj   h]”(hŒThe start address (”…””}”(hj¢  hžhhŸNh Nubjx  )”}”(hŒ``addr``”h]”hŒaddr”…””}”(hj©  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hj¢  ubhŒ) is not page aligned.”…””}”(hj¢  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K/hjž  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjr  ubj  )”}”(hŒ,Address range (``addr`` + ``len``) overflow.”h]”hê)”}”(hjÉ  h]”(hŒAddress range (”…””}”(hjË  hžhhŸNh Nubjx  )”}”(hŒ``addr``”h]”hŒaddr”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hjË  ubhŒ + ”…””}”(hjË  hžhhŸNh Nubjx  )”}”(hŒ``len``”h]”hŒlen”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hjË  ubhŒ) overflow.”…””}”(hjË  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K0hjÇ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjr  ubeh}”(h]”h ]”h"]”h$]”h&]”j˜  Œ*”uh1j
  hŸh³h K.hjo  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hjO  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K/hjL  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŒ  hjH  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj   ubj  )”}”(hŒµ**-ENOMEM**:
 * The start address (``addr``) is not allocated.
 * The end address (``addr`` + ``len``) is not allocated.
 * A gap (unallocated memory) between start and end address.”h]”j  )”}”(hhh]”j’  )”}”(hŒ²**-ENOMEM**:
* The start address (``addr``) is not allocated.
* The end address (``addr`` + ``len``) is not allocated.
* A gap (unallocated memory) between start and end address.”h]”(j˜  )”}”(hŒ**-ENOMEM**:”h]”(jž  )”}”(hŒ**-ENOMEM**”h]”hŒ-ENOMEM”…””}”(hj0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj,  ubhŒ:”…””}”(hj,  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K3hj(  ubjÊ  )”}”(hhh]”j  )”}”(hhh]”(j  )”}”(hŒ.The start address (``addr``) is not allocated.”h]”hê)”}”(hjP  h]”(hŒThe start address (”…””}”(hjR  hžhhŸNh Nubjx  )”}”(hŒ``addr``”h]”hŒaddr”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hjR  ubhŒ) is not allocated.”…””}”(hjR  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K2hjN  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjK  ubj  )”}”(hŒ6The end address (``addr`` + ``len``) is not allocated.”h]”hê)”}”(hjy  h]”(hŒThe end address (”…””}”(hj{  hžhhŸNh Nubjx  )”}”(hŒ``addr``”h]”hŒaddr”…””}”(hj‚  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hj{  ubhŒ + ”…””}”(hj{  hžhhŸNh Nubjx  )”}”(hŒ``len``”h]”hŒlen”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jw  hj{  ubhŒ) is not allocated.”…””}”(hj{  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K3hjw  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjK  ubj  )”}”(hŒ9A gap (unallocated memory) between start and end address.”h]”hê)”}”(hj´  h]”hŒ9A gap (unallocated memory) between start and end address.”…””}”(hj¶  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K4hj²  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjK  ubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j  uh1j
  hŸh³h K2hjH  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hj(  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K3hj%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŒ  hj!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj   ubj  )”}”(hŒR**-EPERM**:
 * sealing is supported only on 64-bit CPUs, 32-bit is not supported.
”h]”j  )”}”(hhh]”j’  )”}”(hŒQ**-EPERM**:
* sealing is supported only on 64-bit CPUs, 32-bit is not supported.
”h]”(j˜  )”}”(hŒ**-EPERM**:”h]”(jž  )”}”(hŒ
**-EPERM**”h]”hŒ-EPERM”…””}”(hjö  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjò  ubhŒ:”…””}”(hjò  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K6hjî  ubjÊ  )”}”(hhh]”j  )”}”(hhh]”j  )”}”(hŒCsealing is supported only on 64-bit CPUs, 32-bit is not supported.
”h]”hê)”}”(hŒBsealing is supported only on 64-bit CPUs, 32-bit is not supported.”h]”hŒBsealing is supported only on 64-bit CPUs, 32-bit is not supported.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K6hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubah}”(h]”h ]”h"]”h$]”h&]”j˜  j  uh1j
  hŸh³h K6hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hjî  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K6hjë  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŒ  hjç  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj   ubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j™  uh1j
  hŸh³h K,hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hjý  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K6hjú  ubj’  )”}”(hX   **Note about error return**:
- For above error cases, users can expect the given memory range is
  unmodified, i.e. no partial update.
- There might be other internal errors/cases not listed here, e.g.
  error during merging/splitting VMAs, or the process reaching the maximum
  number of supported VMAs. In those cases, partial updates to the given
  memory range could happen. However, those cases should be rare.
”h]”(j˜  )”}”(hŒ**Note about error return**:”h]”(jž  )”}”(hŒ**Note about error return**”h]”hŒNote about error return”…””}”(hjd  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj`  ubhŒ:”…””}”(hj`  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K>hj\  ubjÊ  )”}”(hhh]”j  )”}”(hhh]”(j  )”}”(hŒeFor above error cases, users can expect the given memory range is
unmodified, i.e. no partial update.”h]”hê)”}”(hŒeFor above error cases, users can expect the given memory range is
unmodified, i.e. no partial update.”h]”hŒeFor above error cases, users can expect the given memory range is
unmodified, i.e. no partial update.”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K9hj‚  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubj  )”}”(hX  There might be other internal errors/cases not listed here, e.g.
error during merging/splitting VMAs, or the process reaching the maximum
number of supported VMAs. In those cases, partial updates to the given
memory range could happen. However, those cases should be rare.
”h]”hê)”}”(hX  There might be other internal errors/cases not listed here, e.g.
error during merging/splitting VMAs, or the process reaching the maximum
number of supported VMAs. In those cases, partial updates to the given
memory range could happen. However, those cases should be rare.”h]”hX  There might be other internal errors/cases not listed here, e.g.
error during merging/splitting VMAs, or the process reaching the maximum
number of supported VMAs. In those cases, partial updates to the given
memory range could happen. However, those cases should be rare.”…””}”(hjž  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K;hjš  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j™  uh1j
  hŸh³h K9hj|  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hj\  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K>hjú  ubj’  )”}”(hŒL**Architecture support**:
mseal only works on 64-bit CPUs, not 32-bit CPUs.
”h]”(j˜  )”}”(hŒ**Architecture support**:”h]”(jž  )”}”(hŒ**Architecture support**”h]”hŒArchitecture support”…””}”(hjÌ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÈ  ubhŒ:”…””}”(hjÈ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h KAhjÄ  ubjÊ  )”}”(hhh]”hê)”}”(hŒ1mseal only works on 64-bit CPUs, not 32-bit CPUs.”h]”hŒ1mseal only works on 64-bit CPUs, not 32-bit CPUs.”…””}”(hjç  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KAhjä  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hjÄ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h KAhjú  ubj’  )”}”(hŒs**Idempotent**:
users can call mseal multiple times. mseal on an already sealed memory
is a no-action (not error).
”h]”(j˜  )”}”(hŒ**Idempotent**:”h]”(jž  )”}”(hŒ**Idempotent**”h]”hŒ
Idempotent”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h KEhj  ubjÊ  )”}”(hhh]”hê)”}”(hŒbusers can call mseal multiple times. mseal on an already sealed memory
is a no-action (not error).”h]”hŒbusers can call mseal multiple times. mseal on an already sealed memory
is a no-action (not error).”…””}”(hj$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KDhj!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h KEhjú  ubj’  )”}”(hŒ­**no munseal**
Once mapping is sealed, it can't be unsealed. The kernel should never
have munseal, this is consistent with other sealing feature, e.g.
F_SEAL_SEAL for file.
”h]”(j˜  )”}”(hŒ**no munseal**”h]”jž  )”}”(hjD  h]”hŒ
no munseal”…””}”(hjF  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjB  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h KJhj>  ubjÊ  )”}”(hhh]”hê)”}”(hŒOnce mapping is sealed, it can't be unsealed. The kernel should never
have munseal, this is consistent with other sealing feature, e.g.
F_SEAL_SEAL for file.”h]”hŒŸOnce mapping is sealed, it canâ€™t be unsealed. The kernel should never
have munseal, this is consistent with other sealing feature, e.g.
F_SEAL_SEAL for file.”…””}”(hj\  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KHhjY  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hj>  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h KJhjú  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jŒ  hjo  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jm  hŸh³h Khj\  hžhubeh}”(h]”Œmseal-syscall-signature”ah ]”h"]”Œmseal syscall signature”ah$]”h&]”uh1h´hjK  hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒ%Blocked mm syscall for sealed mapping”h]”hŒ%Blocked mm syscall for sealed mapping”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjŠ  hžhhŸh³h KMubjn  )”}”(hXo  It might be important to note: **once the mapping is sealed, it will
stay in the process's memory until the process terminates**.

Example::

      *ptr = mmap(0, 4096, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
      rc = mseal(ptr, 4096, 0);
      /* munmap will fail */
      rc = munmap(ptr, 4096);
      assert(rc < 0);

Blocked mm syscall:
   - munmap
   - mmap
   - mremap
   - mprotect and pkey_mprotect
   - some destructive madvise behaviors: MADV_DONTNEED, MADV_FREE,
     MADV_DONTNEED_LOCKED, MADV_FREE, MADV_DONTFORK, MADV_WIPEONFORK

The first set of syscalls to block is munmap, mremap, mmap. They can
either leave an empty space in the address space, therefore allowing
replacement with a new mapping with new set of attributes, or can
overwrite the existing mapping with another mapping.

mprotect and pkey_mprotect are blocked because they changes the
protection bits (RWX) of the mapping.

Certain destructive madvise behaviors, specifically MADV_DONTNEED,
MADV_FREE, MADV_DONTNEED_LOCKED, and MADV_WIPEONFORK, can introduce
risks when applied to anonymous memory by threads lacking write
permissions. Consequently, these operations are prohibited under such
conditions. The aforementioned behaviors have the potential to modify
region contents by discarding pages, effectively performing a memset(0)
operation on the anonymous memory.

Kernel will return -EPERM for blocked syscalls.

When blocked syscall return -EPERM due to sealing, the memory regions may
or may not be changed, depends on the syscall being blocked:

   - munmap: munmap is atomic. If one of VMAs in the given range is
     sealed, none of VMAs are updated.
   - mprotect, pkey_mprotect, madvise: partial update might happen, e.g.
     when mprotect over multiple VMAs, mprotect might update the beginning
     VMAs before reaching the sealed VMA and return -EPERM.
   - mmap and mremap: undefined behavior.
”h]”(hê)”}”(hŒIt might be important to note: **once the mapping is sealed, it will
stay in the process's memory until the process terminates**.”h]”(hŒIt might be important to note: ”…””}”(hjŸ  hžhhŸNh Nubjž  )”}”(hŒa**once the mapping is sealed, it will
stay in the process's memory until the process terminates**”h]”hŒ_once the mapping is sealed, it will
stay in the processâ€™s memory until the process terminates”…””}”(hj§  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjŸ  ubhŒ.”…””}”(hjŸ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KNhj›  ubhê)”}”(hŒ	Example::”h]”hŒExample:”…””}”(hj¿  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KQhj›  ubhŒliteral_block”“”)”}”(hŒœ*ptr = mmap(0, 4096, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
rc = mseal(ptr, 4096, 0);
/* munmap will fail */
rc = munmap(ptr, 4096);
assert(rc < 0);”h]”hŒœ*ptr = mmap(0, 4096, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
rc = mseal(ptr, 4096, 0);
/* munmap will fail */
rc = munmap(ptr, 4096);
assert(rc < 0);”…””}”hjÏ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jÍ  hŸh³h KShj›  ubj  )”}”(hhh]”j’  )”}”(hŒÌBlocked mm syscall:
- munmap
- mmap
- mremap
- mprotect and pkey_mprotect
- some destructive madvise behaviors: MADV_DONTNEED, MADV_FREE,
  MADV_DONTNEED_LOCKED, MADV_FREE, MADV_DONTFORK, MADV_WIPEONFORK
”h]”(j˜  )”}”(hŒBlocked mm syscall:”h]”hŒBlocked mm syscall:”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K_hjà  ubjÊ  )”}”(hhh]”j  )”}”(hhh]”(j  )”}”(hŒmunmap”h]”hê)”}”(hjú  h]”hŒmunmap”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KZhjø  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjõ  ubj  )”}”(hŒmmap”h]”hê)”}”(hj  h]”hŒmmap”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K[hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjõ  ubj  )”}”(hŒmremap”h]”hê)”}”(hj(  h]”hŒmremap”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K\hj&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjõ  ubj  )”}”(hŒmprotect and pkey_mprotect”h]”hê)”}”(hj?  h]”hŒmprotect and pkey_mprotect”…””}”(hjA  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K]hj=  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjõ  ubj  )”}”(hŒ~some destructive madvise behaviors: MADV_DONTNEED, MADV_FREE,
MADV_DONTNEED_LOCKED, MADV_FREE, MADV_DONTFORK, MADV_WIPEONFORK
”h]”hê)”}”(hŒ}some destructive madvise behaviors: MADV_DONTNEED, MADV_FREE,
MADV_DONTNEED_LOCKED, MADV_FREE, MADV_DONTFORK, MADV_WIPEONFORK”h]”hŒ}some destructive madvise behaviors: MADV_DONTNEED, MADV_FREE,
MADV_DONTNEED_LOCKED, MADV_FREE, MADV_DONTFORK, MADV_WIPEONFORK”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K^hjT  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjõ  ubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j™  uh1j
  hŸh³h KZhjò  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hjà  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K_hjÝ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŒ  hj›  ubhê)”}”(hX   The first set of syscalls to block is munmap, mremap, mmap. They can
either leave an empty space in the address space, therefore allowing
replacement with a new mapping with new set of attributes, or can
overwrite the existing mapping with another mapping.”h]”hX   The first set of syscalls to block is munmap, mremap, mmap. They can
either leave an empty space in the address space, therefore allowing
replacement with a new mapping with new set of attributes, or can
overwrite the existing mapping with another mapping.”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kahj›  ubhê)”}”(hŒemprotect and pkey_mprotect are blocked because they changes the
protection bits (RWX) of the mapping.”h]”hŒemprotect and pkey_mprotect are blocked because they changes the
protection bits (RWX) of the mapping.”…””}”(hj’  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kfhj›  ubhê)”}”(hX½  Certain destructive madvise behaviors, specifically MADV_DONTNEED,
MADV_FREE, MADV_DONTNEED_LOCKED, and MADV_WIPEONFORK, can introduce
risks when applied to anonymous memory by threads lacking write
permissions. Consequently, these operations are prohibited under such
conditions. The aforementioned behaviors have the potential to modify
region contents by discarding pages, effectively performing a memset(0)
operation on the anonymous memory.”h]”hX½  Certain destructive madvise behaviors, specifically MADV_DONTNEED,
MADV_FREE, MADV_DONTNEED_LOCKED, and MADV_WIPEONFORK, can introduce
risks when applied to anonymous memory by threads lacking write
permissions. Consequently, these operations are prohibited under such
conditions. The aforementioned behaviors have the potential to modify
region contents by discarding pages, effectively performing a memset(0)
operation on the anonymous memory.”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kihj›  ubhê)”}”(hŒ/Kernel will return -EPERM for blocked syscalls.”h]”hŒ/Kernel will return -EPERM for blocked syscalls.”…””}”(hj®  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kqhj›  ubhê)”}”(hŒ†When blocked syscall return -EPERM due to sealing, the memory regions may
or may not be changed, depends on the syscall being blocked:”h]”hŒ†When blocked syscall return -EPERM due to sealing, the memory regions may
or may not be changed, depends on the syscall being blocked:”…””}”(hj¼  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kshj›  ubjn  )”}”(hXS  - munmap: munmap is atomic. If one of VMAs in the given range is
  sealed, none of VMAs are updated.
- mprotect, pkey_mprotect, madvise: partial update might happen, e.g.
  when mprotect over multiple VMAs, mprotect might update the beginning
  VMAs before reaching the sealed VMA and return -EPERM.
- mmap and mremap: undefined behavior.
”h]”j  )”}”(hhh]”(j  )”}”(hŒ`munmap: munmap is atomic. If one of VMAs in the given range is
sealed, none of VMAs are updated.”h]”hê)”}”(hŒ`munmap: munmap is atomic. If one of VMAs in the given range is
sealed, none of VMAs are updated.”h]”hŒ`munmap: munmap is atomic. If one of VMAs in the given range is
sealed, none of VMAs are updated.”…””}”(hjÕ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KvhjÑ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÎ  ubj  )”}”(hŒÀmprotect, pkey_mprotect, madvise: partial update might happen, e.g.
when mprotect over multiple VMAs, mprotect might update the beginning
VMAs before reaching the sealed VMA and return -EPERM.”h]”hê)”}”(hŒÀmprotect, pkey_mprotect, madvise: partial update might happen, e.g.
when mprotect over multiple VMAs, mprotect might update the beginning
VMAs before reaching the sealed VMA and return -EPERM.”h]”hŒÀmprotect, pkey_mprotect, madvise: partial update might happen, e.g.
when mprotect over multiple VMAs, mprotect might update the beginning
VMAs before reaching the sealed VMA and return -EPERM.”…””}”(hjí  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kxhjé  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÎ  ubj  )”}”(hŒ%mmap and mremap: undefined behavior.
”h]”hê)”}”(hŒ$mmap and mremap: undefined behavior.”h]”hŒ$mmap and mremap: undefined behavior.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K{hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÎ  ubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j™  uh1j
  hŸh³h KvhjÊ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jm  hŸh³h Kvhj›  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jm  hŸh³h KNhjŠ  hžhubeh}”(h]”Œ%blocked-mm-syscall-for-sealed-mapping”ah ]”h"]”Œ%blocked mm syscall for sealed mapping”ah$]”h&]”uh1h´hjK  hžhhŸh³h KMubeh}”(h]”Œsyscall”ah ]”h"]”Œsyscall”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒ	Use cases”h]”hŒ	Use cases”…””}”(hj>  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj;  hžhhŸh³h K~ubj  )”}”(hhh]”(j  )”}”(hŒbglibc:
The dynamic linker, during loading ELF executables, can apply sealing to
mapping segments.
”h]”hê)”}”(hŒaglibc:
The dynamic linker, during loading ELF executables, can apply sealing to
mapping segments.”h]”hŒaglibc:
The dynamic linker, during loading ELF executables, can apply sealing to
mapping segments.”…””}”(hjS  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KhjO  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjL  hžhhŸh³h Nubj  )”}”(hŒAChrome browser: protect some security sensitive data structures.
”h]”hê)”}”(hŒ@Chrome browser: protect some security sensitive data structures.”h]”hŒ@Chrome browser: protect some security sensitive data structures.”…””}”(hjk  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h Kƒhjg  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjL  hžhhŸh³h Nubj  )”}”(hX£  System mappings:
The system mappings are created by the kernel and includes vdso, vvar,
vvar_vclock, vectors (arm compat-mode), sigpage (arm compat-mode), uprobes.

Those system mappings are readonly only or execute only, memory sealing can
protect them from ever changing to writable or unmmap/remapped as different
attributes. This is useful to mitigate memory corruption issues where a
corrupted pointer is passed to a memory management system.

If supported by an architecture (CONFIG_ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS),
the CONFIG_MSEAL_SYSTEM_MAPPINGS seals all system mappings of this
architecture.

The following architectures currently support this feature: x86-64, arm64,
and s390.

WARNING: This feature breaks programs which rely on relocating
or unmapping system mappings. Known broken software at the time
of writing includes CHECKPOINT_RESTORE, UML, gVisor, rr. Therefore
this config can't be enabled universally.
”h]”(hê)”}”(hŒ£System mappings:
The system mappings are created by the kernel and includes vdso, vvar,
vvar_vclock, vectors (arm compat-mode), sigpage (arm compat-mode), uprobes.”h]”hŒ£System mappings:
The system mappings are created by the kernel and includes vdso, vvar,
vvar_vclock, vectors (arm compat-mode), sigpage (arm compat-mode), uprobes.”…””}”(hjƒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K…hj  ubhê)”}”(hX  Those system mappings are readonly only or execute only, memory sealing can
protect them from ever changing to writable or unmmap/remapped as different
attributes. This is useful to mitigate memory corruption issues where a
corrupted pointer is passed to a memory management system.”h]”hX  Those system mappings are readonly only or execute only, memory sealing can
protect them from ever changing to writable or unmmap/remapped as different
attributes. This is useful to mitigate memory corruption issues where a
corrupted pointer is passed to a memory management system.”…””}”(hj‘  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K‰hj  ubhê)”}”(hŒžIf supported by an architecture (CONFIG_ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS),
the CONFIG_MSEAL_SYSTEM_MAPPINGS seals all system mappings of this
architecture.”h]”hŒžIf supported by an architecture (CONFIG_ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS),
the CONFIG_MSEAL_SYSTEM_MAPPINGS seals all system mappings of this
architecture.”…””}”(hjŸ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KŽhj  ubhê)”}”(hŒTThe following architectures currently support this feature: x86-64, arm64,
and s390.”h]”hŒTThe following architectures currently support this feature: x86-64, arm64,
and s390.”…””}”(hj­  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K’hj  ubhê)”}”(hŒëWARNING: This feature breaks programs which rely on relocating
or unmapping system mappings. Known broken software at the time
of writing includes CHECKPOINT_RESTORE, UML, gVisor, rr. Therefore
this config can't be enabled universally.”h]”hŒíWARNING: This feature breaks programs which rely on relocating
or unmapping system mappings. Known broken software at the time
of writing includes CHECKPOINT_RESTORE, UML, gVisor, rr. Therefore
this config canâ€™t be enabled universally.”…””}”(hj»  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K•hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hjL  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j™  uh1j
  hŸh³h Khj;  hžhubeh}”(h]”Œ	use-cases”ah ]”h"]”Œ	use cases”ah$]”h&]”uh1h´hh¶hžhhŸh³h K~ubhµ)”}”(hhh]”(hº)”}”(hŒWhen not to use mseal”h]”hŒWhen not to use mseal”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÝ  hžhhŸh³h K›ubhê)”}”(hX"  Applications can apply sealing to any virtual memory region from userspace,
but it is *crucial to thoroughly analyze the mapping's lifetime* prior to
apply the sealing. This is because the sealed mapping *wonâ€™t be unmapped*
until the process terminates or the exec system call is invoked.”h]”(hŒVApplications can apply sealing to any virtual memory region from userspace,
but it is ”…””}”(hjî  hžhhŸNh NubhŒemphasis”“”)”}”(hŒ6*crucial to thoroughly analyze the mapping's lifetime*”h]”hŒ6crucial to thoroughly analyze the mappingâ€™s lifetime”…””}”(hjø  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jö  hjî  ubhŒ@ prior to
apply the sealing. This is because the sealed mapping ”…””}”(hjî  hžhhŸNh Nubj÷  )”}”(hŒ*wonâ€™t be unmapped*”h]”hŒwonâ€™t be unmapped”…””}”(hj
	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jö  hjî  ubhŒA
until the process terminates or the exec system call is invoked.”…””}”(hjî  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KœhjÝ  hžhubj  )”}”(hhh]”j’  )”}”(hXš  For example:
- aio/shm
  aio/shm can call mmap and  munmap on behalf of userspace, e.g.
  ksys_shmdt() in shm.c. The lifetimes of those mapping are not tied to
  the lifetime of the process. If those memories are sealed from userspace,
  then munmap will fail, causing leaks in VMA address space during the
  lifetime of the process.

- ptr allocated by malloc (heap)
  Don't use mseal on the memory ptr return from malloc().
  malloc() is implemented by allocator, e.g. by glibc. Heap manager might
  allocate a ptr from brk or mapping created by mmap.
  If an app calls mseal on a ptr returned from malloc(), this can affect
  the heap manager's ability to manage the mappings; the outcome is
  non-deterministic.

  Example::

     ptr = malloc(size);
     /* don't call mseal on ptr return from malloc. */
     mseal(ptr, size);
     /* free will success, allocator can't shrink heap lower than ptr */
     free(ptr);
”h]”(j˜  )”}”(hŒFor example:”h]”hŒFor example:”…””}”(hj)	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j—  hŸh³h K·hj%	  ubjÊ  )”}”(hhh]”j  )”}”(hhh]”(j  )”}”(hX5  aio/shm
aio/shm can call mmap and  munmap on behalf of userspace, e.g.
ksys_shmdt() in shm.c. The lifetimes of those mapping are not tied to
the lifetime of the process. If those memories are sealed from userspace,
then munmap will fail, causing leaks in VMA address space during the
lifetime of the process.
”h]”hê)”}”(hX4  aio/shm
aio/shm can call mmap and  munmap on behalf of userspace, e.g.
ksys_shmdt() in shm.c. The lifetimes of those mapping are not tied to
the lifetime of the process. If those memories are sealed from userspace,
then munmap will fail, causing leaks in VMA address space during the
lifetime of the process.”h]”hX4  aio/shm
aio/shm can call mmap and  munmap on behalf of userspace, e.g.
ksys_shmdt() in shm.c. The lifetimes of those mapping are not tied to
the lifetime of the process. If those memories are sealed from userspace,
then munmap will fail, causing leaks in VMA address space during the
lifetime of the process.”…””}”(hjA	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K¢hj=	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj:	  ubj  )”}”(hX1  ptr allocated by malloc (heap)
Don't use mseal on the memory ptr return from malloc().
malloc() is implemented by allocator, e.g. by glibc. Heap manager might
allocate a ptr from brk or mapping created by mmap.
If an app calls mseal on a ptr returned from malloc(), this can affect
the heap manager's ability to manage the mappings; the outcome is
non-deterministic.

Example::

   ptr = malloc(size);
   /* don't call mseal on ptr return from malloc. */
   mseal(ptr, size);
   /* free will success, allocator can't shrink heap lower than ptr */
   free(ptr);
”h]”(hê)”}”(hXn  ptr allocated by malloc (heap)
Don't use mseal on the memory ptr return from malloc().
malloc() is implemented by allocator, e.g. by glibc. Heap manager might
allocate a ptr from brk or mapping created by mmap.
If an app calls mseal on a ptr returned from malloc(), this can affect
the heap manager's ability to manage the mappings; the outcome is
non-deterministic.”h]”hXr  ptr allocated by malloc (heap)
Donâ€™t use mseal on the memory ptr return from malloc().
malloc() is implemented by allocator, e.g. by glibc. Heap manager might
allocate a ptr from brk or mapping created by mmap.
If an app calls mseal on a ptr returned from malloc(), this can affect
the heap managerâ€™s ability to manage the mappings; the outcome is
non-deterministic.”…””}”(hjY	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K©hjU	  ubhê)”}”(hŒ	Example::”h]”hŒExample:”…””}”(hjg	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K±hjU	  ubjÎ  )”}”(hŒ¦ptr = malloc(size);
/* don't call mseal on ptr return from malloc. */
mseal(ptr, size);
/* free will success, allocator can't shrink heap lower than ptr */
free(ptr);”h]”hŒ¦ptr = malloc(size);
/* don't call mseal on ptr return from malloc. */
mseal(ptr, size);
/* free will success, allocator can't shrink heap lower than ptr */
free(ptr);”…””}”hju	  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jÍ  hŸh³h K³hjU	  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j  hj:	  ubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j™  uh1j
  hŸh³h K¢hj7	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÉ  hj%	  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‘  hŸh³h K·hj"	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jŒ  hjÝ  hžhhŸNh Nubeh}”(h]”Œwhen-not-to-use-mseal”ah ]”h"]”Œwhen not to use mseal”ah$]”h&]”uh1h´hh¶hžhhŸh³h K›ubhµ)”}”(hhh]”(hº)”}”(hŒmseal doesn't block”h]”hŒmseal doesnâ€™t block”…””}”(hj¬	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj©	  hžhhŸh³h Kºubhê)”}”(hŒ¬In a nutshell, mseal blocks certain mm syscall from modifying some of VMA's
attributes, such as protection bits (RWX). Sealed mappings doesn't mean the
memory is immutable.”h]”hŒ°In a nutshell, mseal blocks certain mm syscall from modifying some of VMAâ€™s
attributes, such as protection bits (RWX). Sealed mappings doesnâ€™t mean the
memory is immutable.”…””}”(hjº	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K»hj©	  hžhubhê)”}”(hŒ¬As Jann Horn pointed out in [3], there are still a few ways to write
to RO memory, which is, in a way, by design. And those could be blocked
by different security measures.”h]”hŒ¬As Jann Horn pointed out in [3], there are still a few ways to write
to RO memory, which is, in a way, by design. And those could be blocked
by different security measures.”…””}”(hjÈ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h K¿hj©	  hžhubhê)”}”(hŒThose cases are:”h]”hŒThose cases are:”…””}”(hjÖ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÃhj©	  hžhubjn  )”}”(hŒ - Write to read-only memory through /proc/self/mem interface (FOLL_FORCE).
- Write to read-only memory through ptrace (such as PTRACE_POKETEXT).
- userfaultfd.
”h]”j  )”}”(hhh]”(j  )”}”(hŒHWrite to read-only memory through /proc/self/mem interface (FOLL_FORCE).”h]”hê)”}”(hjí	  h]”hŒHWrite to read-only memory through /proc/self/mem interface (FOLL_FORCE).”…””}”(hjï	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÅhjë	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjè	  ubj  )”}”(hŒCWrite to read-only memory through ptrace (such as PTRACE_POKETEXT).”h]”hê)”}”(hj
  h]”hŒCWrite to read-only memory through ptrace (such as PTRACE_POKETEXT).”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÆhj
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjè	  ubj  )”}”(hŒuserfaultfd.
”h]”hê)”}”(hŒuserfaultfd.”h]”hŒuserfaultfd.”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÇhj
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjè	  ubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j™  uh1j
  hŸh³h KÅhjä	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jm  hŸh³h KÅhj©	  hžhubhê)”}”(hŒ”The idea that inspired this patch comes from Stephen RÃ¶ttgerâ€™s work in V8
CFI [4]. Chrome browser in ChromeOS will be the first user of this API.”h]”hŒ”The idea that inspired this patch comes from Stephen RÃ¶ttgerâ€™s work in V8
CFI [4]. Chrome browser in ChromeOS will be the first user of this API.”…””}”(hj=
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÉhj©	  hžhubeh}”(h]”Œmseal-doesn-t-block”ah ]”h"]”Œmseal doesn't block”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kºubhµ)”}”(hhh]”(hº)”}”(hŒ	Reference”h]”hŒ	Reference”…””}”(hjV
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjS
  hžhhŸh³h KÍubj  )”}”(hhh]”(j  )”}”(hŒ€[1] https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/osfmk/mach/vm_statistics.h#L274”h]”hê)”}”(hji
  h]”(hŒ[1] ”…””}”(hjk
  hžhhŸNh Nubhô)”}”(hŒ|https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/osfmk/mach/vm_statistics.h#L274”h]”hŒ|https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/osfmk/mach/vm_statistics.h#L274”…””}”(hjr
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jt
  uh1hóhjk
  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÎhjg
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjd
  hžhhŸh³h Nubj  )”}”(hŒ([2] https://man.openbsd.org/mimmutable.2”h]”hê)”}”(hj
  h]”(hŒ[2] ”…””}”(hj‘
  hžhhŸNh Nubhô)”}”(hŒ$https://man.openbsd.org/mimmutable.2”h]”hŒ$https://man.openbsd.org/mimmutable.2”…””}”(hj˜
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jš
  uh1hóhj‘
  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÏhj
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjd
  hžhhŸh³h Nubj  )”}”(hŒc[3] https://lore.kernel.org/lkml/CAG48ez3ShUYey+ZAFsU2i1RpQn0a5eOs2hzQ426FkcgnfUGLvA@mail.gmail.com”h]”hê)”}”(hjµ
  h]”(hŒ[3] ”…””}”(hj·
  hžhhŸNh Nubhô)”}”(hŒ_https://lore.kernel.org/lkml/CAG48ez3ShUYey+ZAFsU2i1RpQn0a5eOs2hzQ426FkcgnfUGLvA@mail.gmail.com”h]”hŒ_https://lore.kernel.org/lkml/CAG48ez3ShUYey+ZAFsU2i1RpQn0a5eOs2hzQ426FkcgnfUGLvA@mail.gmail.com”…””}”(hj¾
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jÀ
  uh1hóhj·
  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÐhj³
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjd
  hžhhŸh³h Nubj  )”}”(hŒo[4] https://docs.google.com/document/d/1O2jwK4dxI3nRcOJuPYkonhTkNQfbmwdvxQMyXgeaRHo/edit#heading=h.bvaojj9fu6hc”h]”hê)”}”(hjÛ
  h]”(hŒ[4] ”…””}”(hjÝ
  hžhhŸNh Nubhô)”}”(hŒkhttps://docs.google.com/document/d/1O2jwK4dxI3nRcOJuPYkonhTkNQfbmwdvxQMyXgeaRHo/edit#heading=h.bvaojj9fu6hc”h]”hŒkhttps://docs.google.com/document/d/1O2jwK4dxI3nRcOJuPYkonhTkNQfbmwdvxQMyXgeaRHo/edit#heading=h.bvaojj9fu6hc”…””}”(hjä
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jæ
  uh1hóhjÝ
  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1héhŸh³h KÑhjÙ
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjd
  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”j˜  j™  uh1j
  hŸh³h KÎhjS
  hžhubeh}”(h]”Œ	reference”ah ]”h"]”Œ	reference”ah$]”h&]”uh1h´hh¶hžhhŸh³h KÍubeh}”(h]”Œintroduction-of-mseal”ah ]”h"]”Œintroduction of mseal”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j8  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j  j  j8  j5  j‡  j„  j0  j-  jÚ  j×  j¦	  j£	  jP
  jM
  j
  j  uŒ	nametypes”}”(j  ‰j8  ‰j‡  ‰j0  ‰jÚ  ‰j¦	  ‰jP
  ‰j
  ‰uh}”(j  h¶j5  jK  j„  j\  j-  jŠ  j×  j;  j£	  jÝ  jM
  j©	  j  jS
  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.