diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2019-03-02 19:24:02 +0200 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2019-03-05 10:14:07 +0200 |
commit | 59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 (patch) | |
tree | 4aa49cb9c9df3398c78010a015d443576f3dc993 /test/filters | |
parent | Refactor Transmission profiles (#2516) (diff) | |
download | firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.gz firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.zst firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.zip |
mdwx: block memfd_create
Some profiles may need adjusting if app uses memfd_create(2) and
memory-deny-write-execute was enabled.
Diffstat (limited to 'test/filters')
-rwxr-xr-x | test/filters/memwrexe | bin | 13168 -> 17096 bytes | |||
-rwxr-xr-x | test/filters/memwrexe-32.exp | 12 | ||||
-rw-r--r-- | test/filters/memwrexe.c | 16 | ||||
-rwxr-xr-x | test/filters/memwrexe.exp | 12 |
4 files changed, 40 insertions, 0 deletions
diff --git a/test/filters/memwrexe b/test/filters/memwrexe index 3a079672c..669f0d320 100755 --- a/test/filters/memwrexe +++ b/test/filters/memwrexe | |||
Binary files differ | |||
diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp index bd6a191f9..d012ada55 100755 --- a/test/filters/memwrexe-32.exp +++ b/test/filters/memwrexe-32.exp | |||
@@ -29,6 +29,18 @@ expect { | |||
29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} | 29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} |
30 | "Parent is shutting down" | 30 | "Parent is shutting down" |
31 | } | 31 | } |
32 | after 100 | ||
33 | |||
34 | send -- "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 20\n";exit} | ||
37 | "Child process initialized" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 21\n";exit} | ||
41 | "memfd_create successful" {puts "TESTING ERROR 22\n";exit} | ||
42 | "Parent is shutting down" | ||
43 | } | ||
32 | 44 | ||
33 | after 100 | 45 | after 100 |
34 | puts "\nall done\n" | 46 | puts "\nall done\n" |
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c index b43b232d1..12787f3a5 100644 --- a/test/filters/memwrexe.c +++ b/test/filters/memwrexe.c | |||
@@ -6,12 +6,14 @@ | |||
6 | #include <sys/stat.h> | 6 | #include <sys/stat.h> |
7 | #include <fcntl.h> | 7 | #include <fcntl.h> |
8 | #include <sys/mman.h> | 8 | #include <sys/mman.h> |
9 | #include <sys/syscall.h> | ||
9 | 10 | ||
10 | static void usage(void) { | 11 | static void usage(void) { |
11 | printf("memwrexe options\n"); | 12 | printf("memwrexe options\n"); |
12 | printf("where options is:\n"); | 13 | printf("where options is:\n"); |
13 | printf("\tmmap - mmap test\n"); | 14 | printf("\tmmap - mmap test\n"); |
14 | printf("\tmprotect - mprotect test\n"); | 15 | printf("\tmprotect - mprotect test\n"); |
16 | printf("\tmemfd_create - memfd_create test\n"); | ||
15 | } | 17 | } |
16 | 18 | ||
17 | int main(int argc, char **argv) { | 19 | int main(int argc, char **argv) { |
@@ -72,4 +74,18 @@ int main(int argc, char **argv) { | |||
72 | 74 | ||
73 | return 0; | 75 | return 0; |
74 | } | 76 | } |
77 | |||
78 | else if (strcmp(argv[1], "memfd_create") == 0) { | ||
79 | int fd = syscall(SYS_memfd_create, "memfd_create", 0); | ||
80 | if (fd == -1) { | ||
81 | fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n"); | ||
82 | return 1; | ||
83 | } | ||
84 | printf("memfd_create successful\n"); | ||
85 | |||
86 | // wait for expect to timeout | ||
87 | sleep(100); | ||
88 | |||
89 | return 0; | ||
90 | } | ||
75 | } | 91 | } |
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp index da68b3b5f..d437d1ac5 100755 --- a/test/filters/memwrexe.exp +++ b/test/filters/memwrexe.exp | |||
@@ -29,6 +29,18 @@ expect { | |||
29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} | 29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} |
30 | "Parent is shutting down" | 30 | "Parent is shutting down" |
31 | } | 31 | } |
32 | after 100 | ||
33 | |||
34 | send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 20\n";exit} | ||
37 | "Child process initialized" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 21\n";exit} | ||
41 | "memfd_create successful" {puts "TESTING ERROR 22\n";exit} | ||
42 | "Parent is shutting down" | ||
43 | } | ||
32 | 44 | ||
33 | after 100 | 45 | after 100 |
34 | puts "\nall done\n" | 46 | puts "\nall done\n" |