diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-18 08:09:38 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-18 08:09:38 -0400 |
commit | ad262caef9f095e00ce51945020142838d93960e (patch) | |
tree | f592b6bdba5b159cfe7e09e79c1dce8b8535fd46 /src/fseccomp/seccomp.c | |
parent | private-lib (diff) | |
download | firejail-ad262caef9f095e00ce51945020142838d93960e.tar.gz firejail-ad262caef9f095e00ce51945020142838d93960e.tar.zst firejail-ad262caef9f095e00ce51945020142838d93960e.zip |
memory-deny-write-execute testing
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index c49681476..0112d8aec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -237,6 +237,7 @@ void memory_deny_write_execute(const char *fname) { | |||
237 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | 237 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), |
238 | KILL_PROCESS, | 238 | KILL_PROCESS, |
239 | RETURN_ALLOW, | 239 | RETURN_ALLOW, |
240 | |||
240 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | 241 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable |
241 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | 242 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), |
242 | EXAMINE_ARGUMENT(2), | 243 | EXAMINE_ARGUMENT(2), |
@@ -244,6 +245,9 @@ void memory_deny_write_execute(const char *fname) { | |||
244 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | 245 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), |
245 | KILL_PROCESS, | 246 | KILL_PROCESS, |
246 | RETURN_ALLOW, | 247 | RETURN_ALLOW, |
248 | |||
249 | // shmat is not implemented as a syscall on some platforms (i386, possibly arm) | ||
250 | #ifdef SYS_shmat | ||
247 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 251 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |
248 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | 252 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), |
249 | EXAMINE_ARGUMENT(2), | 253 | EXAMINE_ARGUMENT(2), |
@@ -251,6 +255,7 @@ void memory_deny_write_execute(const char *fname) { | |||
251 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 255 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
252 | KILL_PROCESS, | 256 | KILL_PROCESS, |
253 | RETURN_ALLOW | 257 | RETURN_ALLOW |
258 | #endif | ||
254 | }; | 259 | }; |
255 | write_to_file(fd, filter, sizeof(filter)); | 260 | write_to_file(fd, filter, sizeof(filter)); |
256 | 261 | ||