mdwx: block memfd_create

Some profiles may need adjusting if app uses memfd_create(2) and memory-deny-write-execute was enabled.
author: Topi Miettinen <toiwoton@gmail.com> 2019-03-02 19:24:02 +0200
committer: Topi Miettinen <toiwoton@gmail.com> 2019-03-05 10:14:07 +0200
commit: 59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 (patch)
tree: 4aa49cb9c9df3398c78010a015d443576f3dc993 /test
parent: Refactor Transmission profiles (#2516) (diff)
download: firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.gz
firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.zst
firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.zip
4 files changed, 40 insertions, 0 deletions
diff --git a/test/filters/memwrexe b/test/filters/memwrexe
index 3a079672c..669f0d320 100755
--- a/test/filters/memwrexe
+++ b/test/filters/memwrexe
Binary files differ
diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp
index bd6a191f9..d012ada55 100755
--- a/test/filters/memwrexe-32.exp
+++ b/test/filters/memwrexe-32.exp
@@ -29,6 +29,18 @@ expect {
        "mprotect successful" {puts "TESTING ERROR 12\n";exit}
        "Parent is shutting down"
 }
+after 100
+send --  "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+        "Parent is shutting down"
+}
 after 100
 puts "\nall done\n"
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c
index b43b232d1..12787f3a5 100644
--- a/test/filters/memwrexe.c
+++ b/test/filters/memwrexe.c
@@ -6,12 +6,14 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <sys/mman.h>
+#include <sys/syscall.h>
 static void usage(void) {
        printf("memwrexe options\n");
        printf("where options is:\n");
        printf("\tmmap - mmap test\n");
        printf("\tmprotect - mprotect test\n");
+        printf("\tmemfd_create - memfd_create test\n");
 }
 int main(int argc, char **argv) {
@@ -72,4 +74,18 @@ int main(int argc, char **argv) {
                return 0;
        }
+        else if (strcmp(argv[1], "memfd_create") == 0) {
+                int fd = syscall(SYS_memfd_create, "memfd_create", 0);
+                if (fd == -1) {
+                        fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
+                        return 1;
+                }
+                printf("memfd_create successful\n");
+                // wait for expect to timeout
+                sleep(100);
+                return 0;
+        }
 }
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp
index da68b3b5f..d437d1ac5 100755
--- a/test/filters/memwrexe.exp
+++ b/test/filters/memwrexe.exp
@@ -29,6 +29,18 @@ expect {
        "mprotect successful" {puts "TESTING ERROR 12\n";exit}
        "Parent is shutting down"
 }
+after 100
+send --  "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+        "Parent is shutting down"
+}
 after 100
 puts "\nall done\n"
author	Topi Miettinen <toiwoton@gmail.com>	2019-03-02 19:24:02 +0200
committer	Topi Miettinen <toiwoton@gmail.com>	2019-03-05 10:14:07 +0200
commit	59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 (patch)
tree	4aa49cb9c9df3398c78010a015d443576f3dc993 /test
parent	Refactor Transmission profiles (#2516) (diff)
download	firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.gz firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.tar.zst firejail-59e30614ad1cd7a8d6f3c685472fada37d1ed2d7.zip

diff --git a/test/filters/memwrexe b/test/filters/memwrexe index 3a079672c..669f0d320 100755 --- a/test/filters/memwrexe +++ b/test/filters/memwrexe
Binary files differ


diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp index bd6a191f9..d012ada55 100755 --- a/test/filters/memwrexe-32.exp +++ b/test/filters/memwrexe-32.exp
@@ -29,6 +29,18 @@ expect {
29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}	29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}
30	"Parent is shutting down"	30	"Parent is shutting down"
31	}	31	}
		32	after 100
		33
		34	send -- "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r"
		35	expect {
		36	timeout {puts "TESTING ERROR 20\n";exit}
		37	"Child process initialized"
		38	}
		39	expect {
		40	timeout {puts "TESTING ERROR 21\n";exit}
		41	"memfd_create successful" {puts "TESTING ERROR 22\n";exit}
		42	"Parent is shutting down"
		43	}
32		44
33	after 100	45	after 100
34	puts "\nall done\n"	46	puts "\nall done\n"


diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c index b43b232d1..12787f3a5 100644 --- a/test/filters/memwrexe.c +++ b/test/filters/memwrexe.c
@@ -6,12 +6,14 @@
6	#include <sys/stat.h>	6	#include <sys/stat.h>
7	#include <fcntl.h>	7	#include <fcntl.h>
8	#include <sys/mman.h>	8	#include <sys/mman.h>
		9	#include <sys/syscall.h>
9		10
10	static void usage(void) {	11	static void usage(void) {
11	printf("memwrexe options\n");	12	printf("memwrexe options\n");
12	printf("where options is:\n");	13	printf("where options is:\n");
13	printf("\tmmap - mmap test\n");	14	printf("\tmmap - mmap test\n");
14	printf("\tmprotect - mprotect test\n");	15	printf("\tmprotect - mprotect test\n");
		16	printf("\tmemfd_create - memfd_create test\n");
15	}	17	}
16		18
17	int main(int argc, char **argv) {	19	int main(int argc, char **argv) {
@@ -72,4 +74,18 @@ int main(int argc, char **argv) {
72		74
73	return 0;	75	return 0;
74	}	76	}
		77
		78	else if (strcmp(argv[1], "memfd_create") == 0) {
		79	int fd = syscall(SYS_memfd_create, "memfd_create", 0);
		80	if (fd == -1) {
		81	fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
		82	return 1;
		83	}
		84	printf("memfd_create successful\n");
		85
		86	// wait for expect to timeout
		87	sleep(100);
		88
		89	return 0;
		90	}
75	}	91	}


diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp index da68b3b5f..d437d1ac5 100755 --- a/test/filters/memwrexe.exp +++ b/test/filters/memwrexe.exp
@@ -29,6 +29,18 @@ expect {
29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}	29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}
30	"Parent is shutting down"	30	"Parent is shutting down"
31	}	31	}
		32	after 100
		33
		34	send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
		35	expect {
		36	timeout {puts "TESTING ERROR 20\n";exit}
		37	"Child process initialized"
		38	}
		39	expect {
		40	timeout {puts "TESTING ERROR 21\n";exit}
		41	"memfd_create successful" {puts "TESTING ERROR 22\n";exit}
		42	"Parent is shutting down"
		43	}
32		44
33	after 100	45	after 100
34	puts "\nall done\n"	46	puts "\nall done\n"