mdwx: block memfd_create

Some profiles may need adjusting if app uses memfd_create(2) and
memory-deny-write-execute was enabled.

2 files changed, 10 insertions, 2 deletions

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index fc0299a34..2a719725e 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) {
                 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
                 KILL_PROCESS,
+                RETURN_ALLOW,
+#endif
+#ifdef SYS_memfd_create
+                // block memfd_create as it can be used to create
+                // arbitrary memory contents which can be later mapped
+                // as executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
+                KILL_PROCESS,
                 RETURN_ALLOW
 #endif
         };
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c3981336d..8f5aa777f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -747,8 +747,8 @@ $ firejail \-\-machine-id
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system
-calls and kills the process if necessary.
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and
+shmat system calls and kills the process if necessary.
 .br
 
 .br