Commit 5c63b463b87d3c06102a4a7f05f395929d9ea79b
2020-12-02T16:14:27
Use memfd_create() (#604) memfd_create creates a file in a memory-only filesystem that may bypass strict security protocols in filesystem-based temporary files.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
diff --git a/configure.ac b/configure.ac
index 790274e..093b87d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,6 +63,9 @@ EOF
AM_MAINTAINER_MODE
+AC_CHECK_HEADERS(sys/memfd.h)
+AC_CHECK_FUNCS([memfd_create])
+
AC_CHECK_HEADERS(sys/mman.h)
AC_CHECK_FUNCS([mmap mkostemp])
AC_FUNC_MMAP_BLACKLIST
diff --git a/src/closures.c b/src/closures.c
index 4fe6158..dfc2f68 100644
--- a/src/closures.c
+++ b/src/closures.c
@@ -45,6 +45,9 @@
#include <stddef.h>
#include <unistd.h>
+#ifdef HAVE_SYS_MEMFD_H
+#include <sys/memfd.h>
+#endif
static const size_t overhead =
(sizeof(max_align_t) > sizeof(void *) + sizeof(size_t)) ?
@@ -544,6 +547,17 @@ static int execfd = -1;
/* The amount of space already allocated from the temporary file. */
static size_t execsize = 0;
+#ifdef HAVE_MEMFD_CREATE
+/* Open a temporary file name, and immediately unlink it. */
+static int
+open_temp_exec_file_memfd (const char *name)
+{
+ int fd;
+ fd = memfd_create (name, MFD_CLOEXEC);
+ return fd;
+}
+#endif
+
/* Open a temporary file name, and immediately unlink it. */
static int
open_temp_exec_file_name (char *name, int flags)
@@ -671,6 +685,9 @@ static struct
const char *arg;
int repeat;
} open_temp_exec_file_opts[] = {
+#ifdef HAVE_MEMFD_CREATE
+ { open_temp_exec_file_memfd, "libffi", 0 },
+#endif
{ open_temp_exec_file_env, "TMPDIR", 0 },
{ open_temp_exec_file_dir, "/tmp", 0 },
{ open_temp_exec_file_dir, "/var/tmp", 0 },