Revert "ashmem: Ensure all memfds have non-executable permissions by default"
This reverts commit ee7a713757314366023e855a76ff17943b6b9296.
Reason for revert: We would like to evaluate switching libcutils to
memfd against older kernels that don't support MFD_NOEXEC_SEAL, so
temporarily revert it. MFD_NOEXEC_SEAL will be brought back when
testing has concluded.
Bug: 401214539
Bug: 111903542
Change-Id: I2cf76e3545ac46a65b54889f9030ad44cb1e4d27
diff --git a/libcutils/ashmem-dev.cpp b/libcutils/ashmem-dev.cpp
index cfc2d3a..5fbe8a1 100644
--- a/libcutils/ashmem-dev.cpp
+++ b/libcutils/ashmem-dev.cpp
@@ -114,15 +114,8 @@
// Check if kernel support exists, otherwise fall back to ashmem.
// This code needs to build on old API levels, so we can't use the libc
// wrapper.
- //
- // MFD_NOEXEC_SEAL is used to match the semantics of the ashmem device,
- // which did not have executable permissions. This also seals the executable
- // permissions of the buffer (i.e. they cannot be changed by fchmod()).
- //
- // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING.
-
android::base::unique_fd fd(
- syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_NOEXEC_SEAL));
+ syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_ALLOW_SEALING));
if (fd == -1) {
ALOGE("memfd_create failed: %m, no memfd support");
return false;
@@ -290,13 +283,7 @@
static int memfd_create_region(const char* name, size_t size) {
// This code needs to build on old API levels, so we can't use the libc
// wrapper.
- //
- // MFD_NOEXEC_SEAL to match the semantics of the ashmem device, which did
- // not have executable permissions. This also seals the executable
- // permissions of the buffer (i.e. they cannot be changed by fchmod()).
- //
- // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING.
- android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_NOEXEC_SEAL));
+ android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_ALLOW_SEALING));
if (fd == -1) {
ALOGE("memfd_create(%s, %zd) failed: %m", name, size);