treewide: memfd_create: use exec flags

Use the flags MEMFD_EXEC or MEMFD_NOEXEC_SEAL as applicable.

These warnings instruct the kernel wether the memfd is executable or
not.

Without specifying those flags the kernel will emit the following
warning since version 6.3,
commit 105ff5339f49 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC"):

    kernel: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=1 'systemd'

1 files changed, 11 insertions, 5 deletions

diff --git a/src/shared/data-fd-util.c b/src/shared/data-fd-util.c
index 0dbf89293f..4831682a02 100644
--- a/src/shared/data-fd-util.c
+++ b/src/shared/data-fd-util.c
@@ -339,7 +339,8 @@ finish:
 
 int memfd_clone_fd(int fd, const char *name, int mode) {
         _cleanup_close_ int mfd = -EBADF;
-        bool ro;
+        struct stat st;
+        bool ro, exec;
         int r;
 
         /* Creates a clone of a regular file in a memfd. Unlike copy_data_fd() this returns strictly a memfd
@@ -351,13 +352,18 @@ int memfd_clone_fd(int fd, const char *name, int mode) {
         assert(IN_SET(mode & O_ACCMODE, O_RDONLY, O_RDWR));
         assert((mode & ~(O_RDONLY|O_RDWR|O_CLOEXEC)) == 0);
 
+        if (fstat(fd, &st) < 0)
+                return -errno;
+
         ro = (mode & O_ACCMODE) == O_RDONLY;
+        exec = st.st_mode & 0111;
 
-        mfd = memfd_create(name,
-                           ((FLAGS_SET(mode, O_CLOEXEC) || ro) ? MFD_CLOEXEC : 0) |
-                           (ro ? MFD_ALLOW_SEALING : 0));
+        mfd = memfd_create_wrapper(name,
+                                   ((FLAGS_SET(mode, O_CLOEXEC) || ro) ? MFD_CLOEXEC : 0) |
+                                   (ro ? MFD_ALLOW_SEALING : 0) |
+                                   (exec ? MFD_EXEC : MFD_NOEXEC_SEAL));
         if (mfd < 0)
-                return -errno;
+                return mfd;
 
         r = copy_bytes(fd, mfd, UINT64_MAX, COPY_REFLINK);
         if (r < 0)