diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-18 08:09:38 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-18 08:09:38 -0400 |
commit | ad262caef9f095e00ce51945020142838d93960e (patch) | |
tree | f592b6bdba5b159cfe7e09e79c1dce8b8535fd46 /src | |
parent | private-lib (diff) | |
download | firejail-ad262caef9f095e00ce51945020142838d93960e.tar.gz firejail-ad262caef9f095e00ce51945020142838d93960e.tar.zst firejail-ad262caef9f095e00ce51945020142838d93960e.zip |
memory-deny-write-execute testing
Diffstat (limited to 'src')
-rw-r--r-- | src/fseccomp/seccomp.c | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
2 files changed, 14 insertions, 1 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index c49681476..0112d8aec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -237,6 +237,7 @@ void memory_deny_write_execute(const char *fname) { | |||
237 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | 237 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), |
238 | KILL_PROCESS, | 238 | KILL_PROCESS, |
239 | RETURN_ALLOW, | 239 | RETURN_ALLOW, |
240 | |||
240 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | 241 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable |
241 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | 242 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), |
242 | EXAMINE_ARGUMENT(2), | 243 | EXAMINE_ARGUMENT(2), |
@@ -244,6 +245,9 @@ void memory_deny_write_execute(const char *fname) { | |||
244 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | 245 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), |
245 | KILL_PROCESS, | 246 | KILL_PROCESS, |
246 | RETURN_ALLOW, | 247 | RETURN_ALLOW, |
248 | |||
249 | // shmat is not implemented as a syscall on some platforms (i386, possibly arm) | ||
250 | #ifdef SYS_shmat | ||
247 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 251 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |
248 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | 252 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), |
249 | EXAMINE_ARGUMENT(2), | 253 | EXAMINE_ARGUMENT(2), |
@@ -251,6 +255,7 @@ void memory_deny_write_execute(const char *fname) { | |||
251 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 255 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
252 | KILL_PROCESS, | 256 | KILL_PROCESS, |
253 | RETURN_ALLOW | 257 | RETURN_ALLOW |
258 | #endif | ||
254 | }; | 259 | }; |
255 | write_to_file(fd, filter, sizeof(filter)); | 260 | write_to_file(fd, filter, sizeof(filter)); |
256 | 261 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4a396b809..8dd4ef8fa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -744,7 +744,15 @@ $ firejail \-\-machine-id | |||
744 | \fB\-\-memory-deny-write-execute | 744 | \fB\-\-memory-deny-write-execute |
745 | Install a seccomp filter to block attempts to create memory mappings | 745 | Install a seccomp filter to block attempts to create memory mappings |
746 | that are both writable and executable, to change mappings to be | 746 | that are both writable and executable, to change mappings to be |
747 | executable or to create executable shared memory. | 747 | executable, or to create executable shared memory. The filter examines |
748 | the arguments of mmap, mmap2, mprotect and shmat system calls | ||
749 | and kills the process if necessary. | ||
750 | .br | ||
751 | |||
752 | .br | ||
753 | Note: shmat is not implemented | ||
754 | as a system call on some platforms including i386, and it cannot be | ||
755 | handled by seccomp-bpf. | ||
748 | 756 | ||
749 | .TP | 757 | .TP |
750 | \fB\-\-mtu=number | 758 | \fB\-\-mtu=number |