From eaa175c8d21c3360990b248020c0264fdb637fb6 Mon Sep 17 00:00:00 2001 From: Oliver Kunz Date: Tue, 25 Jul 2023 05:04:08 -0700 Subject: [PATCH] Sandbox2: Remove file sealing for in-memory files. The `CreateMemFd` function sets the `MFD_ALLOW_SEALING` flag which enables seals to be set and creating an empty file seal. PiperOrigin-RevId: 550850108 Change-Id: I1a84b7b14cc9396144048bbeb8995f2f7eca9fb7 --- sandboxed_api/sandbox2/util.cc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sandboxed_api/sandbox2/util.cc b/sandboxed_api/sandbox2/util.cc index 584566c..79a3cd1 100644 --- a/sandboxed_api/sandbox2/util.cc +++ b/sandboxed_api/sandbox2/util.cc @@ -251,9 +251,8 @@ bool CreateMemFd(int* fd, const char* name) { // Usually defined in linux/memfd.h. Define it here to avoid dependency on // UAPI headers. constexpr uintptr_t MFD_CLOEXEC = 0x0001; - constexpr uintptr_t MFD_ALLOW_SEALING = 0x0002; int tmp_fd = Syscall(__NR_memfd_create, reinterpret_cast(name), - MFD_CLOEXEC | MFD_ALLOW_SEALING); + MFD_CLOEXEC); if (tmp_fd < 0) { if (errno == ENOSYS) { SAPI_RAW_LOG(ERROR,