diff options
-rw-r--r-- | src/fseccomp/seccomp.c | 10 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
2 files changed, 12 insertions, 2 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index e14a473fe..ef7dd5c54 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -240,6 +240,16 @@ void memory_deny_write_execute(const char *fname) { | |||
240 | KILL_PROCESS, | 240 | KILL_PROCESS, |
241 | RETURN_ALLOW, | 241 | RETURN_ALLOW, |
242 | 242 | ||
243 | // same for pkey_mprotect(,,PROT_EXEC), where available | ||
244 | #ifdef SYS_pkey_mprotect | ||
245 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5), | ||
246 | EXAMINE_ARGUMENT(2), | ||
247 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC), | ||
248 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | ||
249 | KILL_PROCESS, | ||
250 | RETURN_ALLOW, | ||
251 | #endif | ||
252 | |||
243 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) | 253 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) |
244 | #ifdef SYS_shmat | 254 | #ifdef SYS_shmat |
245 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 255 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9f6da87ee..e0eb723bc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -763,8 +763,8 @@ $ firejail \-\-machine-id | |||
763 | Install a seccomp filter to block attempts to create memory mappings | 763 | Install a seccomp filter to block attempts to create memory mappings |
764 | that are both writable and executable, to change mappings to be | 764 | that are both writable and executable, to change mappings to be |
765 | executable, or to create executable shared memory. The filter examines | 765 | executable, or to create executable shared memory. The filter examines |
766 | the arguments of mmap, mmap2, mprotect and shmat system calls | 766 | the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system |
767 | and kills the process if necessary. | 767 | calls and kills the process if necessary. |
768 | .br | 768 | .br |
769 | 769 | ||
770 | .br | 770 | .br |