[$] An update on sealed system mappings

Jeff Xu has been working ona patch set that makes certain mappings in a process's address spaceimpossible to change, sealing them against tampering. This has some potentialsecurity benefits - mainly, makingsure that someone cannot relocate thevsyscall andvDSO mappings - but some kernel developers haven'tbeen impressed with the patches.While the core functionality (sealing the mappings) is sound, some of thesupporting code for enabling and disabling the new feature caused concern bygoing against the normal design for such things. Reviewers also questionedhow this feature would interact with checkpointing and with sandboxing.