diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2019-03-02 19:24:02 +0200 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2019-03-05 10:14:07 +0200 |
| commit | 59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 (patch) | |
| tree | 4aa49cb9c9df3398c78010a015d443576f3dc993 /src/fseccomp | |
| parent | Refactor Transmission profiles (#2516) (diff) | |
| download | firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.gz firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.zst firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.zip | |
mdwx: block memfd_create
Some profiles may need adjusting if app uses memfd_create(2) and
memory-deny-write-execute was enabled.
Diffstat (limited to 'src/fseccomp')
| -rw-r--r-- | src/fseccomp/seccomp.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index fc0299a34..2a719725e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
| @@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) { | |||
| 258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), | 258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), |
| 259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
| 260 | KILL_PROCESS, | 260 | KILL_PROCESS, |
| 261 | RETURN_ALLOW, | ||
| 262 | #endif | ||
| 263 | #ifdef SYS_memfd_create | ||
| 264 | // block memfd_create as it can be used to create | ||
| 265 | // arbitrary memory contents which can be later mapped | ||
| 266 | // as executable | ||
| 267 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1), | ||
| 268 | KILL_PROCESS, | ||
| 261 | RETURN_ALLOW | 269 | RETURN_ALLOW |
| 262 | #endif | 270 | #endif |
| 263 | }; | 271 | }; |