mdwx: block memfd_create

Some profiles may need adjusting if app uses memfd_create(2) and memory-deny-write-execute was enabled.
author: Topi Miettinen <toiwoton@gmail.com> 2019-03-02 19:24:02 +0200
committer: Topi Miettinen <toiwoton@gmail.com> 2019-03-05 10:14:07 +0200
commit: 59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 (patch)
tree: 4aa49cb9c9df3398c78010a015d443576f3dc993
parent: Refactor Transmission profiles (#2516) (diff)
download: firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.gz
firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.zst
firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.zip
7 files changed, 51 insertions, 2 deletions
diff --git a/RELNOTES b/RELNOTES
index 4251ab9ff..633dbc253 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.59) baseline; urgency=low
  * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
  * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
  * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
+  * memory-deny-write-execute now also blocks memfd_create
 firejail (0.9.58,2) baseline; urgency=low
  * cgroup flag in /etc/firejail/firejail.config file
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index fc0299a34..2a719725e 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) {
                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
                KILL_PROCESS,
+                RETURN_ALLOW,
+#endif
+#ifdef SYS_memfd_create
+                // block memfd_create as it can be used to create
+                // arbitrary memory contents which can be later mapped
+                // as executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
+                KILL_PROCESS,
                RETURN_ALLOW
 #endif
        };
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c3981336d..8f5aa777f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -747,8 +747,8 @@ $ firejail \-\-machine-id
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and
-calls and kills the process if necessary.
+shmat system calls and kills the process if necessary.
 .br
 .br
diff --git a/test/filters/memwrexe b/test/filters/memwrexe
index 3a079672c..669f0d320 100755
--- a/test/filters/memwrexe
+++ b/test/filters/memwrexe
Binary files differ
diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp
index bd6a191f9..d012ada55 100755
--- a/test/filters/memwrexe-32.exp
+++ b/test/filters/memwrexe-32.exp
@@ -29,6 +29,18 @@ expect {
        "mprotect successful" {puts "TESTING ERROR 12\n";exit}
        "Parent is shutting down"
 }
+after 100
+send --  "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+        "Parent is shutting down"
+}
 after 100
 puts "\nall done\n"
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c
index b43b232d1..12787f3a5 100644
--- a/test/filters/memwrexe.c
+++ b/test/filters/memwrexe.c
@@ -6,12 +6,14 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <sys/mman.h>
+#include <sys/syscall.h>
 static void usage(void) {
        printf("memwrexe options\n");
        printf("where options is:\n");
        printf("\tmmap - mmap test\n");
        printf("\tmprotect - mprotect test\n");
+        printf("\tmemfd_create - memfd_create test\n");
 }
 int main(int argc, char **argv) {
@@ -72,4 +74,18 @@ int main(int argc, char **argv) {
                return 0;
        }
+        else if (strcmp(argv[1], "memfd_create") == 0) {
+                int fd = syscall(SYS_memfd_create, "memfd_create", 0);
+                if (fd == -1) {
+                        fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
+                        return 1;
+                }
+                printf("memfd_create successful\n");
+                // wait for expect to timeout
+                sleep(100);
+                return 0;
+        }
 }
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp
index da68b3b5f..d437d1ac5 100755
--- a/test/filters/memwrexe.exp
+++ b/test/filters/memwrexe.exp
@@ -29,6 +29,18 @@ expect {
        "mprotect successful" {puts "TESTING ERROR 12\n";exit}
        "Parent is shutting down"
 }
+after 100
+send --  "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+        "Parent is shutting down"
+}
 after 100
 puts "\nall done\n"
author	Topi Miettinen <toiwoton@gmail.com>	2019-03-02 19:24:02 +0200
committer	Topi Miettinen <toiwoton@gmail.com>	2019-03-05 10:14:07 +0200
commit	59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 (patch)
tree	4aa49cb9c9df3398c78010a015d443576f3dc993
parent	Refactor Transmission profiles (#2516) (diff)
download	firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.gz firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.zst firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.zip

diff --git a/RELNOTES b/RELNOTES index 4251ab9ff..633dbc253 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.59) baseline; urgency=low
6	* new profiles: netactview, redshift, devhelp, assogiate, subdownloader	6	* new profiles: netactview, redshift, devhelp, assogiate, subdownloader
7	* new profiles: font-manager, exfalso, gconf-editor, dconf-editor	7	* new profiles: font-manager, exfalso, gconf-editor, dconf-editor
8	* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings	8	* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
		9	* memory-deny-write-execute now also blocks memfd_create
9		10
10	firejail (0.9.58,2) baseline; urgency=low	11	firejail (0.9.58,2) baseline; urgency=low
11	* cgroup flag in /etc/firejail/firejail.config file	12	* cgroup flag in /etc/firejail/firejail.config file


diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index fc0299a34..2a719725e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) {
258	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),	258	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
259	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),	259	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
260	KILL_PROCESS,	260	KILL_PROCESS,
		261	RETURN_ALLOW,
		262	#endif
		263	#ifdef SYS_memfd_create
		264	// block memfd_create as it can be used to create
		265	// arbitrary memory contents which can be later mapped
		266	// as executable
		267	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
		268	KILL_PROCESS,
261	RETURN_ALLOW	269	RETURN_ALLOW
262	#endif	270	#endif
263	};	271	};


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c3981336d..8f5aa777f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -747,8 +747,8 @@ $ firejail \-\-machine-id
747	Install a seccomp filter to block attempts to create memory mappings	747	Install a seccomp filter to block attempts to create memory mappings
748	that are both writable and executable, to change mappings to be	748	that are both writable and executable, to change mappings to be
749	executable, or to create executable shared memory. The filter examines	749	executable, or to create executable shared memory. The filter examines
750	the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system	750	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and
751	calls and kills the process if necessary.	751	shmat system calls and kills the process if necessary.
752	.br	752	.br
753		753
754	.br	754	.br


diff --git a/test/filters/memwrexe b/test/filters/memwrexe index 3a079672c..669f0d320 100755 --- a/test/filters/memwrexe +++ b/test/filters/memwrexe
Binary files differ


diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp index bd6a191f9..d012ada55 100755 --- a/test/filters/memwrexe-32.exp +++ b/test/filters/memwrexe-32.exp
@@ -29,6 +29,18 @@ expect {
29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}	29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}
30	"Parent is shutting down"	30	"Parent is shutting down"
31	}	31	}
		32	after 100
		33
		34	send -- "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r"
		35	expect {
		36	timeout {puts "TESTING ERROR 20\n";exit}
		37	"Child process initialized"
		38	}
		39	expect {
		40	timeout {puts "TESTING ERROR 21\n";exit}
		41	"memfd_create successful" {puts "TESTING ERROR 22\n";exit}
		42	"Parent is shutting down"
		43	}
32		44
33	after 100	45	after 100
34	puts "\nall done\n"	46	puts "\nall done\n"


diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c index b43b232d1..12787f3a5 100644 --- a/test/filters/memwrexe.c +++ b/test/filters/memwrexe.c
@@ -6,12 +6,14 @@
6	#include <sys/stat.h>	6	#include <sys/stat.h>
7	#include <fcntl.h>	7	#include <fcntl.h>
8	#include <sys/mman.h>	8	#include <sys/mman.h>
		9	#include <sys/syscall.h>
9		10
10	static void usage(void) {	11	static void usage(void) {
11	printf("memwrexe options\n");	12	printf("memwrexe options\n");
12	printf("where options is:\n");	13	printf("where options is:\n");
13	printf("\tmmap - mmap test\n");	14	printf("\tmmap - mmap test\n");
14	printf("\tmprotect - mprotect test\n");	15	printf("\tmprotect - mprotect test\n");
		16	printf("\tmemfd_create - memfd_create test\n");
15	}	17	}
16		18
17	int main(int argc, char **argv) {	19	int main(int argc, char **argv) {
@@ -72,4 +74,18 @@ int main(int argc, char **argv) {
72		74
73	return 0;	75	return 0;
74	}	76	}
		77
		78	else if (strcmp(argv[1], "memfd_create") == 0) {
		79	int fd = syscall(SYS_memfd_create, "memfd_create", 0);
		80	if (fd == -1) {
		81	fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
		82	return 1;
		83	}
		84	printf("memfd_create successful\n");
		85
		86	// wait for expect to timeout
		87	sleep(100);
		88
		89	return 0;
		90	}
75	}	91	}


diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp index da68b3b5f..d437d1ac5 100755 --- a/test/filters/memwrexe.exp +++ b/test/filters/memwrexe.exp
@@ -29,6 +29,18 @@ expect {
29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}	29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}
30	"Parent is shutting down"	30	"Parent is shutting down"
31	}	31	}
		32	after 100
		33
		34	send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
		35	expect {
		36	timeout {puts "TESTING ERROR 20\n";exit}
		37	"Child process initialized"
		38	}
		39	expect {
		40	timeout {puts "TESTING ERROR 21\n";exit}
		41	"memfd_create successful" {puts "TESTING ERROR 22\n";exit}
		42	"Parent is shutting down"
		43	}
32		44
33	after 100	45	after 100
34	puts "\nall done\n"	46	puts "\nall done\n"