Memory Sealing "mseal" System Call Merged For Linux 6.10

Written by Michael Larabel in Linux Security on 24 May 2024 at 08:15 PM EDT. 11 Comments
Merged this Friday evening into the Linux 6.10 kernel is the new mseal() system call for memory sealing.

The mseal system call was led by Jeff Xu of Google's Chrome team. The goal with memory sealing is to also protect the memory mapping itself against modification. The new mseal Linux documentation explains:
"Modern CPUs support memory permissions such as RW and NX bits. The memory permission feature improves security stance on memory corruption bugs, i.e. the attacker can’t just write to arbitrary memory and point the code to it, the memory has to be marked with X bit, or else an exception will happen.

Memory sealing additionally protects the mapping itself against modifications. This is useful to mitigate memory corruption issues where a corrupted pointer is passed to a memory management system. For example, such an attacker primitive can break control-flow integrity guarantees since read-only memory that is supposed to be trusted can become writable or .text pages can get remapped. Memory sealing can automatically be applied by the runtime loader to seal .text and .rodata pages and applications can additionally seal security critical data at runtime.

A similar feature already exists in the XNU kernel with the VM_FLAGS_PERMANENT flag and on OpenBSD with the mimmutable syscall."

The mseal system call is designed to be used by the likes of the GNU C Library "glibc" while loading ELF executables to seal non-writable memory segments or by the Google Chrome web browser and other browsers for protecting security sensitive data structures. There are also other applications to which this new memory sealing support can benefit.

RAM with tape... mseal

The memory sealing system call was originally presented last October and since then has gone through a number of revisions. Initially Linus Torvalds had some reservations around mseal but ultimately all of that was worked out and the code has now been merged upstream. The mseal system call landed a short time ago in Linux 6.10 Git via this merge. Yet another great addition for Linux 6.10 with the merge window wrapping up on Sunday with v6.10-rc1.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week