diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2019-03-02 19:24:02 +0200 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2019-03-05 10:14:07 +0200 |
commit | 59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 (patch) | |
tree | 4aa49cb9c9df3398c78010a015d443576f3dc993 | |
parent | Refactor Transmission profiles (#2516) (diff) | |
download | firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.gz firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.zst firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.zip |
mdwx: block memfd_create
Some profiles may need adjusting if app uses memfd_create(2) and
memory-deny-write-execute was enabled.
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/fseccomp/seccomp.c | 8 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/filters/memwrexe | bin | 13168 -> 17096 bytes | |||
-rwxr-xr-x | test/filters/memwrexe-32.exp | 12 | ||||
-rw-r--r-- | test/filters/memwrexe.c | 16 | ||||
-rwxr-xr-x | test/filters/memwrexe.exp | 12 |
7 files changed, 51 insertions, 2 deletions
@@ -6,6 +6,7 @@ firejail (0.9.59) baseline; urgency=low | |||
6 | * new profiles: netactview, redshift, devhelp, assogiate, subdownloader | 6 | * new profiles: netactview, redshift, devhelp, assogiate, subdownloader |
7 | * new profiles: font-manager, exfalso, gconf-editor, dconf-editor | 7 | * new profiles: font-manager, exfalso, gconf-editor, dconf-editor |
8 | * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings | 8 | * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings |
9 | * memory-deny-write-execute now also blocks memfd_create | ||
9 | 10 | ||
10 | firejail (0.9.58,2) baseline; urgency=low | 11 | firejail (0.9.58,2) baseline; urgency=low |
11 | * cgroup flag in /etc/firejail/firejail.config file | 12 | * cgroup flag in /etc/firejail/firejail.config file |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index fc0299a34..2a719725e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) { | |||
258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), | 258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), |
259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
260 | KILL_PROCESS, | 260 | KILL_PROCESS, |
261 | RETURN_ALLOW, | ||
262 | #endif | ||
263 | #ifdef SYS_memfd_create | ||
264 | // block memfd_create as it can be used to create | ||
265 | // arbitrary memory contents which can be later mapped | ||
266 | // as executable | ||
267 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1), | ||
268 | KILL_PROCESS, | ||
261 | RETURN_ALLOW | 269 | RETURN_ALLOW |
262 | #endif | 270 | #endif |
263 | }; | 271 | }; |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c3981336d..8f5aa777f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -747,8 +747,8 @@ $ firejail \-\-machine-id | |||
747 | Install a seccomp filter to block attempts to create memory mappings | 747 | Install a seccomp filter to block attempts to create memory mappings |
748 | that are both writable and executable, to change mappings to be | 748 | that are both writable and executable, to change mappings to be |
749 | executable, or to create executable shared memory. The filter examines | 749 | executable, or to create executable shared memory. The filter examines |
750 | the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system | 750 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and |
751 | calls and kills the process if necessary. | 751 | shmat system calls and kills the process if necessary. |
752 | .br | 752 | .br |
753 | 753 | ||
754 | .br | 754 | .br |
diff --git a/test/filters/memwrexe b/test/filters/memwrexe index 3a079672c..669f0d320 100755 --- a/test/filters/memwrexe +++ b/test/filters/memwrexe | |||
Binary files differ | |||
diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp index bd6a191f9..d012ada55 100755 --- a/test/filters/memwrexe-32.exp +++ b/test/filters/memwrexe-32.exp | |||
@@ -29,6 +29,18 @@ expect { | |||
29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} | 29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} |
30 | "Parent is shutting down" | 30 | "Parent is shutting down" |
31 | } | 31 | } |
32 | after 100 | ||
33 | |||
34 | send -- "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 20\n";exit} | ||
37 | "Child process initialized" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 21\n";exit} | ||
41 | "memfd_create successful" {puts "TESTING ERROR 22\n";exit} | ||
42 | "Parent is shutting down" | ||
43 | } | ||
32 | 44 | ||
33 | after 100 | 45 | after 100 |
34 | puts "\nall done\n" | 46 | puts "\nall done\n" |
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c index b43b232d1..12787f3a5 100644 --- a/test/filters/memwrexe.c +++ b/test/filters/memwrexe.c | |||
@@ -6,12 +6,14 @@ | |||
6 | #include <sys/stat.h> | 6 | #include <sys/stat.h> |
7 | #include <fcntl.h> | 7 | #include <fcntl.h> |
8 | #include <sys/mman.h> | 8 | #include <sys/mman.h> |
9 | #include <sys/syscall.h> | ||
9 | 10 | ||
10 | static void usage(void) { | 11 | static void usage(void) { |
11 | printf("memwrexe options\n"); | 12 | printf("memwrexe options\n"); |
12 | printf("where options is:\n"); | 13 | printf("where options is:\n"); |
13 | printf("\tmmap - mmap test\n"); | 14 | printf("\tmmap - mmap test\n"); |
14 | printf("\tmprotect - mprotect test\n"); | 15 | printf("\tmprotect - mprotect test\n"); |
16 | printf("\tmemfd_create - memfd_create test\n"); | ||
15 | } | 17 | } |
16 | 18 | ||
17 | int main(int argc, char **argv) { | 19 | int main(int argc, char **argv) { |
@@ -72,4 +74,18 @@ int main(int argc, char **argv) { | |||
72 | 74 | ||
73 | return 0; | 75 | return 0; |
74 | } | 76 | } |
77 | |||
78 | else if (strcmp(argv[1], "memfd_create") == 0) { | ||
79 | int fd = syscall(SYS_memfd_create, "memfd_create", 0); | ||
80 | if (fd == -1) { | ||
81 | fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n"); | ||
82 | return 1; | ||
83 | } | ||
84 | printf("memfd_create successful\n"); | ||
85 | |||
86 | // wait for expect to timeout | ||
87 | sleep(100); | ||
88 | |||
89 | return 0; | ||
90 | } | ||
75 | } | 91 | } |
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp index da68b3b5f..d437d1ac5 100755 --- a/test/filters/memwrexe.exp +++ b/test/filters/memwrexe.exp | |||
@@ -29,6 +29,18 @@ expect { | |||
29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} | 29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} |
30 | "Parent is shutting down" | 30 | "Parent is shutting down" |
31 | } | 31 | } |
32 | after 100 | ||
33 | |||
34 | send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 20\n";exit} | ||
37 | "Child process initialized" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 21\n";exit} | ||
41 | "memfd_create successful" {puts "TESTING ERROR 22\n";exit} | ||
42 | "Parent is shutting down" | ||
43 | } | ||
32 | 44 | ||
33 | after 100 | 45 | after 100 |
34 | puts "\nall done\n" | 46 | puts "\nall done\n" |