On 03/19/2014 08:06 PM, David Herrmann wrote: > Unlike existing techniques that provide similar protection, sealing allows > file-sharing without any trust-relationship. This is enforced by rejecting > seal > modifications if you don't own an exclusive reference to the given file. So if > you own a file-descriptor, you can be sure that no-one besides you can modify > the seals on the given file. This allows mapping shared files from untrusted > parties without the fear of the file getting truncated or modified by an > attacker.
How do you keep these promises on network and FUSE file systems? Surely there is still some trust involved for such descriptors? What happens if you create a loop device on a sealed descriptor? Why does memfd_create not create a file backed by a memory region in the current process? Wouldn't this be a far more generic primitive? Creating aliases of memory regions would be interesting for many things (not just libffi bypassing SELinux-enforced NX restrictions :-). -- Florian Weimer / Red Hat Product Security Team