add MFD_EXEC and MFD_NOEXEC_SEAL flag to memfd_create

DreamConnected · kdrag0n · DreamConnected · commit 7ddafb1b8084 · 2025-10-27T17:42:13.000+08:00
Signed-off-by: DreamConnected &lt;1487442471@qq.com&gt;
Co-Authored-By: Danny Lin &lt;danny@kdrag0n.dev&gt;
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
@@ -2606,7 +2606,13 @@ FILE *make_anonymous_mount_file(const struct list_head *mount_entries,
 	int ret;
 	struct string_entry *entry;
 
-	fd = memfd_create(".lxc_mount_file", MFD_CLOEXEC);
+	fd = memfd_create(".lxc_mount_file", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
+
+	if (fd < 0 && errno == EINVAL) {
+		TRACE("MFD_NOEXEC_SEAL may unsupported, using MFD_CLOEXEC only");
+		fd = memfd_create(".lxc_mount_file", MFD_CLOEXEC);
+	}
+
 	if (fd < 0) {
 		char template[] = P_tmpdir "/.lxc_mount_file_XXXXXX";
 
@@ -3389,7 +3395,13 @@ static void turn_into_dependent_mounts(const struct lxc_rootfs *rootfs)
 		return;
 	}
 
-	memfd = memfd_create(".lxc_mountinfo", MFD_CLOEXEC);
+	memfd = memfd_create(".lxc_mountinfo", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
+
+	if (memfd < 0 && errno == EINVAL) {
+		TRACE("MFD_NOEXEC_SEAL may unsupported, using MFD_CLOEXEC only");
+		memfd = memfd_create(".lxc_mountinfo", MFD_CLOEXEC);
+	}
+
 	if (memfd < 0) {
 		char template[] = P_tmpdir "/.lxc_mountinfo_XXXXXX";
 
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
@@ -401,6 +401,14 @@
 #define MFD_ALLOW_SEALING 0x0002U
 #endif
 
+#ifndef MFD_NOEXEC_SEAL
+#define MFD_NOEXEC_SEAL 0x0008U
+#endif
+
+#ifndef MFD_EXEC
+#define MFD_EXEC 0x0010U
+#endif
+
 /**
  * BUILD_BUG_ON - break compile if a condition is true.
  * @condition: the condition which the compiler should know is false.
diff --git a/src/lxc/parse.c b/src/lxc/parse.c
@@ -56,7 +56,13 @@ int lxc_file_for_each_line_mmap(const char *file, lxc_file_cb callback, void *da
 	ssize_t bytes;
 	char *line;
 
-	memfd = memfd_create(".lxc_config_file", MFD_CLOEXEC);
+	memfd = memfd_create(".lxc_config_file", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
+
+	if (memfd < 0 && errno == EINVAL) {
+		TRACE("MFD_NOEXEC_SEAL may unsupported, using MFD_CLOEXEC only");
+		memfd = memfd_create(".lxc_config_file", MFD_CLOEXEC);
+	}
+
 	if (memfd < 0) {
 		char template[] = P_tmpdir "/.lxc_config_file_XXXXXX";
 
diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c
@@ -15,6 +15,9 @@
 #include "rexec.h"
 #include "string_utils.h"
 #include "syscall_wrappers.h"
+#include "log.h"
+
+lxc_log_define(rexec, lxc);
 
 #define LXC_MEMFD_REXEC_SEALS \
 	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
@@ -102,7 +105,13 @@ static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name)
 	struct stat st = {0};
 #endif
 
-	memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC);
+	memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC | MFD_EXEC);
+
+	if (memfd < 0 && errno == EINVAL) {
+		TRACE("MFD_EXEC may unsupported, using MFD_ALLOW_SEALING and MFD_CLOEXEC");
+		memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC);
+	}
+	
 	if (memfd < 0) {
 		char template[PATH_MAX];
 
diff --git a/src/lxc/ringbuf.c b/src/lxc/ringbuf.c
@@ -11,10 +11,13 @@
 #include <sys/mman.h>
 #include <unistd.h>
 
+#include "log.h"
 #include "ringbuf.h"
 #include "syscall_wrappers.h"
 #include "utils.h"
 
+lxc_log_define(ringbuf, lxc);
+
 int lxc_ringbuf_create(struct lxc_ringbuf *buf, size_t size)
 {
 	__do_close int memfd = -EBADF;
@@ -34,7 +37,13 @@ int lxc_ringbuf_create(struct lxc_ringbuf *buf, size_t size)
 	if (buf->addr == MAP_FAILED)
 		return -EINVAL;
 
-	memfd = memfd_create(".lxc_ringbuf", MFD_CLOEXEC);
+	memfd = memfd_create(".lxc_ringbuf", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
+
+	if (memfd < 0 && errno == EINVAL) {
+		TRACE("MFD_NOEXEC_SEAL may unsupported, using MFD_CLOEXEC only");
+		memfd = memfd_create(".lxc_ringbuf", MFD_CLOEXEC);
+	}
+
 	if (memfd < 0) {
 		char template[] = P_tmpdir "/.lxc_ringbuf_XXXXXX";
 
