diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-11-11 11:47:30 +0200 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-11-11 11:47:30 +0200 |
| commit | ce17788a48dfb059bf3fff5211d57f672d017ee9 (patch) | |
| tree | 445f803bb3ca247e71dfa675569f10859e3a8514 /src/fseccomp | |
| parent | Add {b,d}nox aliases for inox browser (diff) | |
| download | firejail-ce17788a48dfb059bf3fff5211d57f672d017ee9.tar.gz firejail-ce17788a48dfb059bf3fff5211d57f672d017ee9.tar.zst firejail-ce17788a48dfb059bf3fff5211d57f672d017ee9.zip | |
seccomp mdwx: block pkey_mprotect like mprotect
Diffstat (limited to 'src/fseccomp')
| -rw-r--r-- | src/fseccomp/seccomp.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index e14a473fe..ef7dd5c54 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
| @@ -240,6 +240,16 @@ void memory_deny_write_execute(const char *fname) { | |||
| 240 | KILL_PROCESS, | 240 | KILL_PROCESS, |
| 241 | RETURN_ALLOW, | 241 | RETURN_ALLOW, |
| 242 | 242 | ||
| 243 | // same for pkey_mprotect(,,PROT_EXEC), where available | ||
| 244 | #ifdef SYS_pkey_mprotect | ||
| 245 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5), | ||
| 246 | EXAMINE_ARGUMENT(2), | ||
| 247 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC), | ||
| 248 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | ||
| 249 | KILL_PROCESS, | ||
| 250 | RETURN_ALLOW, | ||
| 251 | #endif | ||
| 252 | |||
| 243 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) | 253 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) |
| 244 | #ifdef SYS_shmat | 254 | #ifdef SYS_shmat |
| 245 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 255 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |