>Also, why don't we tag each userland page with LX_BLKPAG_PXN?
Oh... I overlooked that. Certainly, no userland page should not be set executable for kernel. I'll fix. >It would be nice to set SCTLR_EL1.WXN, by the way. Yes, It is easy. But should this be synchronized with security.pax.mprotect.enabled? If so, we need a md-hook in the sysctl helper of pax.mprotect.enable. -- ryo shimizu
