diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-07-29 19:53:27 +0300 |
|---|---|---|
| committer |  Topi Miettinen <topimiettinen@users.noreply.github.com> | 2017-07-30 16:48:16 +0000 |
| commit | 53606495188a5cc16ea67e3b65561127a98925b3 (patch) | |
| tree | 554c6e90c785ae015f8d784b593d9cdf75fde315 /src/fseccomp/seccomp.c | |
| parent | Improve loading of seccomp filter (diff) | |
| download | firejail-53606495188a5cc16ea67e3b65561127a98925b3.tar.gz firejail-53606495188a5cc16ea67e3b65561127a98925b3.tar.zst firejail-53606495188a5cc16ea67e3b65561127a98925b3.zip | |
Memory-deny-write-execute feature
Feature to block attempts to create writable and executable memory.
Diffstat (limited to 'src/fseccomp/seccomp.c')
| -rw-r--r-- | src/fseccomp/seccomp.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 4f8de8c5e..7d2ccbbce 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
| @@ -19,7 +19,10 @@ | |||
| 19 | */ | 19 | */ |
| 20 | #include "fseccomp.h" | 20 | #include "fseccomp.h" |
| 21 | #include "../include/seccomp.h" | 21 | #include "../include/seccomp.h" |
| 22 | #include <sys/mman.h> | ||
| 23 | #include <sys/shm.h> | ||
| 22 | #include <sys/syscall.h> | 24 | #include <sys/syscall.h> |
| 25 | #include <sys/types.h> | ||
| 23 | 26 | ||
| 24 | static void add_default_list(int fd, int allow_debuggers) { | 27 | static void add_default_list(int fd, int allow_debuggers) { |
| 25 | #ifdef SYS_mount | 28 | #ifdef SYS_mount |
| @@ -428,3 +431,54 @@ void seccomp_keep(const char *fname, char *list) { | |||
| 428 | // close file | 431 | // close file |
| 429 | close(fd); | 432 | close(fd); |
| 430 | } | 433 | } |
| 434 | |||
| 435 | void memory_deny_write_execute(const char *fname) { | ||
| 436 | // open file | ||
| 437 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
| 438 | if (fd < 0) { | ||
| 439 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | ||
| 440 | exit(1); | ||
| 441 | } | ||
| 442 | |||
| 443 | filter_init(fd); | ||
| 444 | |||
| 445 | // build filter | ||
| 446 | static const struct sock_filter filter[] = { | ||
| 447 | #ifndef __x86_64__ | ||
| 448 | // block old multiplexing mmap syscall for i386 | ||
| 449 | BLACKLIST(SYS_mmap), | ||
| 450 | #endif | ||
| 451 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created | ||
| 452 | #ifndef __x86_64__ | ||
| 453 | // mmap2 is used for mmap on i386 these days | ||
| 454 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5), | ||
| 455 | #else | ||
| 456 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5), | ||
| 457 | #endif | ||
| 458 | EXAMINE_ARGUMENT(2), | ||
| 459 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), | ||
| 460 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | ||
| 461 | KILL_PROCESS, | ||
| 462 | RETURN_ALLOW, | ||
| 463 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | ||
| 464 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | ||
| 465 | EXAMINE_ARGUMENT(2), | ||
| 466 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC), | ||
| 467 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | ||
| 468 | KILL_PROCESS, | ||
| 469 | RETURN_ALLOW, | ||
| 470 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | ||
| 471 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | ||
| 472 | EXAMINE_ARGUMENT(2), | ||
| 473 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), | ||
| 474 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | ||
| 475 | KILL_PROCESS, | ||
| 476 | RETURN_ALLOW | ||
| 477 | }; | ||
| 478 | write_to_file(fd, filter, sizeof(filter)); | ||
| 479 | |||
| 480 | filter_end_blacklist(fd); | ||
| 481 | |||
| 482 | // close file | ||
| 483 | close(fd); | ||
| 484 | } | ||