diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2019-03-02 19:24:02 +0200 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2019-03-05 10:14:07 +0200 |
commit | 59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 (patch) | |
tree | 4aa49cb9c9df3398c78010a015d443576f3dc993 /src/fseccomp | |
parent | Refactor Transmission profiles (#2516) (diff) | |
download | firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.gz firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.zst firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.zip |
mdwx: block memfd_create
Some profiles may need adjusting if app uses memfd_create(2) and
memory-deny-write-execute was enabled.
Diffstat (limited to 'src/fseccomp')
-rw-r--r-- | src/fseccomp/seccomp.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index fc0299a34..2a719725e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) { | |||
258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), | 258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), |
259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
260 | KILL_PROCESS, | 260 | KILL_PROCESS, |
261 | RETURN_ALLOW, | ||
262 | #endif | ||
263 | #ifdef SYS_memfd_create | ||
264 | // block memfd_create as it can be used to create | ||
265 | // arbitrary memory contents which can be later mapped | ||
266 | // as executable | ||
267 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1), | ||
268 | KILL_PROCESS, | ||
261 | RETURN_ALLOW | 269 | RETURN_ALLOW |
262 | #endif | 270 | #endif |
263 | }; | 271 | }; |