Re: [PATCH] dma-buf: use SB_I_NOEXEC and SB_I_NODEV

From: Christoph Hellwig
Date: Wed Oct 08 2025 - 02:16:19 EST

Next message: Johannes Thumshirn: "Re: [PATCH v2 11/15] blktrace: add block trace commands for zone operations"
Previous message: Tomita Moeko: "Re: [PATCH RESEND] x86/pci: Check signature before assigning shadow ROM"
In reply to: Kees Cook: "[PATCH] dma-buf: use SB_I_NOEXEC and SB_I_NODEV"
Next in thread: Kees Cook: "Re: [PATCH] dma-buf: use SB_I_NOEXEC and SB_I_NODEV"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 07, 2025 at 11:10:32PM -0700, Kees Cook wrote:
> The dma-buf pseudo-filesystem should never have executable mappings nor
> device nodes. Set SB_I_NOEXEC and SB_I_NODEV on the superblock to enforce
> this at the filesystem level, similar to secretmem, commit 98f99394a104
> ("secretmem: use SB_I_NOEXEC").
>
> Fix the syzbot-reported warning from the exec code to enforce this
> requirement:

Can you please just enforce this in init_pseudo? If a file system
really wants to support devices or executable it can clear them,
but a quick grep suggests that none of them should.

Next message: Johannes Thumshirn: "Re: [PATCH v2 11/15] blktrace: add block trace commands for zone operations"
Previous message: Tomita Moeko: "Re: [PATCH RESEND] x86/pci: Check signature before assigning shadow ROM"
In reply to: Kees Cook: "[PATCH] dma-buf: use SB_I_NOEXEC and SB_I_NODEV"
Next in thread: Kees Cook: "Re: [PATCH] dma-buf: use SB_I_NOEXEC and SB_I_NODEV"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]