Add NOEXEC_SEAL and EXEC to MemfdFlags (#976)

rusty-snake · web-flow · commit 8edaecaedc6c · 2024-02-15T14:05:40.000-08:00
* Bump libc to 0.2.153 NOEXEC_SEAL and EXEC constants were added in libc 0.2.153 * Add NOEXEC_SEAL and EXEC to MemfdFlags Enabling non-executable memfds: https://lwn.net/Articles/918106/
diff --git a/Cargo.toml b/Cargo.toml
@@ -38,15 +38,15 @@ once_cell = { version = "1.5.2", optional = true }
 [target.'cfg(all(not(rustix_use_libc), not(miri), target_os = "linux", target_endian = "little", any(target_arch = "arm", all(target_arch = "aarch64", target_pointer_width = "64"), target_arch = "riscv64", all(rustix_use_experimental_asm, target_arch = "powerpc64"), all(rustix_use_experimental_asm, target_arch = "mips"), all(rustix_use_experimental_asm, target_arch = "mips32r6"), all(rustix_use_experimental_asm, target_arch = "mips64"), all(rustix_use_experimental_asm, target_arch = "mips64r6"), target_arch = "x86", all(target_arch = "x86_64", target_pointer_width = "64"))))'.dependencies]
 linux-raw-sys = { version = "0.4.12", default-features = false, features = ["general", "errno", "ioctl", "no_std", "elf"] }
 libc_errno = { package = "errno", version = "0.3.8", default-features = false, optional = true }
-libc = { version = "0.2.152", default-features = false, features = ["extra_traits"], optional = true }
+libc = { version = "0.2.153", default-features = false, features = ["extra_traits"], optional = true }
 
 # Dependencies for platforms where only libc is supported:
 #
 # On all other Unix-family platforms, and under Miri, we always use the libc
 # backend, so enable its dependencies unconditionally.
 [target.'cfg(all(not(windows), any(rustix_use_libc, miri, not(all(target_os = "linux", target_endian = "little", any(target_arch = "arm", all(target_arch = "aarch64", target_pointer_width = "64"), target_arch = "riscv64", all(rustix_use_experimental_asm, target_arch = "powerpc64"), all(rustix_use_experimental_asm, target_arch = "mips"), all(rustix_use_experimental_asm, target_arch = "mips32r6"), all(rustix_use_experimental_asm, target_arch = "mips64"), all(rustix_use_experimental_asm, target_arch = "mips64r6"), target_arch = "x86", all(target_arch = "x86_64", target_pointer_width = "64")))))))'.dependencies]
 libc_errno = { package = "errno", version = "0.3.8", default-features = false }
-libc = { version = "0.2.152", default-features = false, features = ["extra_traits"] }
+libc = { version = "0.2.153", default-features = false, features = ["extra_traits"] }
 
 # Additional dependencies for Linux with the libc backend:
 #
@@ -74,7 +74,7 @@ default-features = false
 
 [dev-dependencies]
 tempfile = "3.5.0"
-libc = "0.2.152"
+libc = "0.2.153"
 libc_errno = { package = "errno", version = "0.3.8", default-features = false }
 serial_test = "2.0.0"
 memoffset = "0.9.0"
diff --git a/src/backend/libc/fs/types.rs b/src/backend/libc/fs/types.rs
@@ -600,6 +600,13 @@ bitflags! {
         /// `MFD_HUGETLB` (since Linux 4.14)
         const HUGETLB = c::MFD_HUGETLB;
 
+        /// `MFD_NOEXEC_SEAL` (since Linux 6.3)
+        #[cfg(linux_kernel)]
+        const NOEXEC_SEAL = c::MFD_NOEXEC_SEAL;
+        /// `MFD_EXEC` (since Linux 6.3)
+        #[cfg(linux_kernel)]
+        const EXEC = c::MFD_EXEC;
+
         /// `MFD_HUGE_64KB`
         const HUGE_64KB = c::MFD_HUGE_64KB;
         /// `MFD_HUGE_512JB`
diff --git a/src/backend/linux_raw/fs/types.rs b/src/backend/linux_raw/fs/types.rs
@@ -428,6 +428,11 @@ bitflags! {
         /// `MFD_HUGETLB` (since Linux 4.14)
         const HUGETLB = linux_raw_sys::general::MFD_HUGETLB;
 
+        /// `MFD_NOEXEC_SEAL` (since Linux 6.3)
+        const NOEXEC_SEAL = linux_raw_sys::general::MFD_NOEXEC_SEAL;
+        /// `MFD_EXEC` (since Linux 6.3)
+        const EXEC = linux_raw_sys::general::MFD_EXEC;
+
         /// `MFD_HUGE_64KB`
         const HUGE_64KB = linux_raw_sys::general::MFD_HUGE_64KB;
         /// `MFD_HUGE_512JB`
