[RFC/discuss] memfd_secret(): opt-in visibility for security monitoring (eBPF/audit)

From: BoxStrikesTeam <hidden>
Date: 2026-07-08 12:10:02
Also in: linux-mm


Hi,

While experimenting with mseal() and memfd_secret() together on a
recent kernel, I ran into what looks like a gap worth discussing:
content placed in memfd_secret()-backed memory is invisible not just
to other processes, but also to in-kernel tracing/observability
mechanisms such as eBPF's bpf_probe_read_user() (EFAULT, as expected,
since the region is removed from the direct map and kernel page
tables entirely).

That's working as designed for the threat model memfd_secret targets
(protect secrets even from a compromised kernel / ROP-based
exfiltration). But it does mean a local, unprivileged process can
now allocate memory that:

 1. Is invisible to kernel-side introspection (eBPF tracing,
 /proc/<pid>/mem, ptrace-based tooling) once populated via
 memfd_secret(), and
 2. Can additionally be sealed against mprotect()/munmap()/mremap()
 via mseal() so its protection bits can't be relaxed either.

Neither primitive alone is new or alarming - mseal() protects mapping
metadata, not confidentiality, and memfd_secret() is explicitly
opt-in and disabled by default. But combined, they let a process
carve out a region that a host-based EDR relying on eBPF
tracing/probe_read helpers cannot inspect, and cannot force back into
an inspectable state either. For userland security tooling that
assumes 'anything a tracing eBPF program can attach to, it can read',
this is a small blind spot.

I want to be clear I'm not suggesting memfd_secret()'s core guarantee
should be weakened - the ability to keep data hidden from a
compromised kernel is the entire point, and forcibly exposing content
to tracing programs would undermine that model and create a new
attack surface via the eBPF verifier/helper path itself.

What I'd like to raise for discussion instead is something closer to
what was already anticipated in the original series - Mike, your
commit message for memfd_secret() mentions: 'Once there will be a use
case that will require exposing secretmem to the kernel it will be an
opt-in request in the system call flags.' Two lighter-weight
directions that stay consistent with that opt-in philosophy:

 a) An LSM hook / audit event at memfd_secret() call time (this
 echoes Christian Gottsche's 2022 RFC to label secretmem inodes
 via inode_init_security_anon for SELinux). Even without content
 visibility, logging 'process X created a N-byte kernel-invisible
 mapping' gives EDR/audit systems a behavioral signal to alert on,
 without touching the confidentiality guarantee at all.

 b) A distinct opt-in flag (as foreshadowed in the original commit)
 that a process could set to allow a CAP_BPF/CAP_SYS_ADMIN-gated
 tracing context to read the region for legitimate
 monitoring/debugging - fully opt-in, off by default, and never
 implicitly available to unprivileged tracers.

Is (a) something that's been considered further since the 2022
secretmem-inode-labeling thread? And is there any existing tracking
issue for the kind of opt-in-visibility idea in (b), or was it
dropped as not worth the complexity?

Happy to help test/write a small selftest if there's interest in
pursuing either direction.

Thanks,
BoxStrike Team.
Researcher:Eneshan Erdoğan Karaca, Other ananymous


Researcher emails:cyberblackk@proton.me
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help