Enhancement. we need secure memory zone for started apps

[osevan]

https://www.phoronix.com/scan.php?page=news_item&px=memfd_secret-Secret-Linux-RAM

New syscall is available for new kernel.

[rusty-snake]

For what is it good? Can you explain more details what you think. How should it look like ( --secmem=5,512 fd=5, 512mb) and how it should work? Why does the sandboxed program create these zone not by itself? How does it help to sandbox the program?

this ability to create secret memory areas on the system is disabled by default unless a special option is passed at boot time.

Given that, it's possible we might see this new secret memory area system call introduced as part of the upcoming Linux 5.13 cycle

Will still take some time until users get this.

[osevan]

I thought, when secret memory reserved somewhere by firejail sandbox,other sandbox process cannot access in nemory each other.

....

[rusty-snake]

And then we LD_PRELOAD a malloc that uses this secure memory?

The sandbox protects the system from bad actions inside the sandbox. There is no protection for the sandbox.

[rusty-snake]

As long as nobody can say how we can use this, I close here.