diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-08-18 08:09:38 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-08-18 08:09:38 -0400 |
| commit | ad262caef9f095e00ce51945020142838d93960e (patch) | |
| tree | f592b6bdba5b159cfe7e09e79c1dce8b8535fd46 /src | |
| parent | private-lib (diff) | |
| download | firejail-ad262caef9f095e00ce51945020142838d93960e.tar.gz firejail-ad262caef9f095e00ce51945020142838d93960e.tar.zst firejail-ad262caef9f095e00ce51945020142838d93960e.zip | |
memory-deny-write-execute testing
Diffstat (limited to 'src')
| -rw-r--r-- | src/fseccomp/seccomp.c | 5 | ||||
| -rw-r--r-- | src/man/firejail.txt | 10 |
2 files changed, 14 insertions, 1 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index c49681476..0112d8aec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
| @@ -237,6 +237,7 @@ void memory_deny_write_execute(const char *fname) { | |||
| 237 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | 237 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), |
| 238 | KILL_PROCESS, | 238 | KILL_PROCESS, |
| 239 | RETURN_ALLOW, | 239 | RETURN_ALLOW, |
| 240 | |||
| 240 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | 241 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable |
| 241 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | 242 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), |
| 242 | EXAMINE_ARGUMENT(2), | 243 | EXAMINE_ARGUMENT(2), |
| @@ -244,6 +245,9 @@ void memory_deny_write_execute(const char *fname) { | |||
| 244 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | 245 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), |
| 245 | KILL_PROCESS, | 246 | KILL_PROCESS, |
| 246 | RETURN_ALLOW, | 247 | RETURN_ALLOW, |
| 248 | |||
| 249 | // shmat is not implemented as a syscall on some platforms (i386, possibly arm) | ||
| 250 | #ifdef SYS_shmat | ||
| 247 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 251 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |
| 248 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | 252 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), |
| 249 | EXAMINE_ARGUMENT(2), | 253 | EXAMINE_ARGUMENT(2), |
| @@ -251,6 +255,7 @@ void memory_deny_write_execute(const char *fname) { | |||
| 251 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 255 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
| 252 | KILL_PROCESS, | 256 | KILL_PROCESS, |
| 253 | RETURN_ALLOW | 257 | RETURN_ALLOW |
| 258 | #endif | ||
| 254 | }; | 259 | }; |
| 255 | write_to_file(fd, filter, sizeof(filter)); | 260 | write_to_file(fd, filter, sizeof(filter)); |
| 256 | 261 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4a396b809..8dd4ef8fa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -744,7 +744,15 @@ $ firejail \-\-machine-id | |||
| 744 | \fB\-\-memory-deny-write-execute | 744 | \fB\-\-memory-deny-write-execute |
| 745 | Install a seccomp filter to block attempts to create memory mappings | 745 | Install a seccomp filter to block attempts to create memory mappings |
| 746 | that are both writable and executable, to change mappings to be | 746 | that are both writable and executable, to change mappings to be |
| 747 | executable or to create executable shared memory. | 747 | executable, or to create executable shared memory. The filter examines |
| 748 | the arguments of mmap, mmap2, mprotect and shmat system calls | ||
| 749 | and kills the process if necessary. | ||
| 750 | .br | ||
| 751 | |||
| 752 | .br | ||
| 753 | Note: shmat is not implemented | ||
| 754 | as a system call on some platforms including i386, and it cannot be | ||
| 755 | handled by seccomp-bpf. | ||
| 748 | 756 | ||
| 749 | .TP | 757 | .TP |
| 750 | \fB\-\-mtu=number | 758 | \fB\-\-mtu=number |