Post Syndicated from daroc original https://lwn.net/Articles/1006375/

Jeff Xu has been working on

a patch set that makes certain mappings in a process’s address space
impossible to change, sealing them against tampering. This has some potential
security benefits — mainly, making
sure that someone cannot relocate the
vsyscall and
vDSO mappings — but some kernel developers haven’t
been impressed with the patches.
While the core functionality (sealing the mappings) is sound, some of the
supporting code for enabling and disabling the new feature caused concern by
going against the normal design for such things. Reviewers also questioned
how this feature would interact with checkpointing and with sandboxing.