6 files changed, 127 insertions, 1 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index c49681476..0112d8aec 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -237,6 +237,7 @@ void memory_deny_write_execute(const char *fname) {
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
                KILL_PROCESS,
                RETURN_ALLOW,
                // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
                EXAMINE_ARGUMENT(2),
@@ -244,6 +245,9 @@ void memory_deny_write_execute(const char *fname) {
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
                KILL_PROCESS,
                RETURN_ALLOW,
+// shmat is not implemented as a syscall on some platforms (i386, possibly arm)
+#ifdef SYS_shmat
                // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),
                EXAMINE_ARGUMENT(2),
@@ -251,6 +255,7 @@ void memory_deny_write_execute(const char *fname) {
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
                KILL_PROCESS,
                RETURN_ALLOW
+#endif
        };
        write_to_file(fd, filter, sizeof(filter));
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 4a396b809..8dd4ef8fa 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -744,7 +744,15 @@ $ firejail \-\-machine-id
 \fB\-\-memory-deny-write-execute
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
-executable or to create executable shared memory.
+executable, or to create executable shared memory. The filter examines
+the arguments of mmap, mmap2, mprotect and shmat system calls
+and kills the process if necessary.
+.br
+.br
+Note: shmat is not implemented
+as a system call on some platforms including i386, and it cannot be
+handled by seccomp-bpf.
 .TP
 \fB\-\-mtu=number
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 6a5ec2b87..8f659237a 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -15,6 +15,9 @@ fi
 export PATH="$PATH:/usr/lib/firejail"
+echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)"
+./memwrexe.exp
 echo "TESTING: debug options (test/filters/debug.exp)"
 ./debug.exp
diff --git a/test/filters/memwrexe b/test/filters/memwrexe
new file mode 100755
index 000000000..3a079672c
--- /dev/null
+++ b/test/filters/memwrexe
Binary files differ
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c
new file mode 100644
index 000000000..7e14aa23d
--- /dev/null
+++ b/test/filters/memwrexe.c
@@ -0,0 +1,76 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+static void usage(void) {
+        printf("memwrexe options\n");
+        printf("where options is:\n");
+        printf("\tmmap - mmap test\n");
+        printf("\tmprotect - mprotect test\n");
+}
+int main(int argc, char **argv) {
+        if (argc != 2) {
+                fprintf(stderr, "TESTING ERROR: memwrexe insufficient params\n");
+                usage();
+                return 1;
+        }
+        
+        if (strcmp(argv[1], "mmap") == 0) {
+                // open some file
+                int fd = open("memwrexe.c", O_RDONLY);
+                if (fd == -1) {
+                        fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
+                        return 1;
+                }
+        
+                int size = lseek(fd, 0, SEEK_END);
+                if (size == -1) {
+                        fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
+                        return 1;
+                }
+                
+                void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0);
+                printf("mmap successful\n");
+                // wait for expect to timeout
+                sleep(100);
+                return 0;
+        }
+        else if (strcmp(argv[1], "mprotect") == 0) {
+                // open some file
+                int fd = open("memwrexe.c", O_RDWR);
+                if (fd == -1) {
+                        fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
+                        return 1;
+                }
+        
+                int size = lseek(fd, 0, SEEK_END);
+                if (size == -1) {
+                        fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
+                        return 1;
+                }
+                
+                void *p = mmap (0, size, PROT_READ, MAP_SHARED, fd, 0);
+                if (!p) {
+                        fprintf(stderr, "TESTING ERROR: cannot map file for mprotect test\n");
+                        return 1;
+                }
+                
+                mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
+                printf("mprotect successful\n");
+                // wait for expect to timeout
+                sleep(100);
+                return 0;
+        }
+}
+        
+\ No newline at end of file
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp
new file mode 100755
index 000000000..6a57b8a07
--- /dev/null
+++ b/test/filters/memwrexe.exp
@@ -0,0 +1,34 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --memory-deny-write-execute ./memwrexe mmap\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "mmap successful" {puts "TESTING ERROR 2\n";exit}
+        "Parent is shutting down"
+}
+after 100
+send --  "firejail --memory-deny-write-execute ./memwrexe mprotect\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "mprotect successful" {puts "TESTING ERROR 12\n";exit}
+        "Parent is shutting down"
+}
+after 100
+puts "\nall done\n"

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index c49681476..0112d8aec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -237,6 +237,7 @@ void memory_deny_write_execute(const char *fname) {
237	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE\|PROT_EXEC, 0, 1),	237	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE\|PROT_EXEC, 0, 1),
238	KILL_PROCESS,	238	KILL_PROCESS,
239	RETURN_ALLOW,	239	RETURN_ALLOW,
		240
240	// block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable	241	// block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
241	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),	242	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
242	EXAMINE_ARGUMENT(2),	243	EXAMINE_ARGUMENT(2),
@@ -244,6 +245,9 @@ void memory_deny_write_execute(const char *fname) {
244	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),	245	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
245	KILL_PROCESS,	246	KILL_PROCESS,
246	RETURN_ALLOW,	247	RETURN_ALLOW,
		248
		249	// shmat is not implemented as a syscall on some platforms (i386, possibly arm)
		250	#ifdef SYS_shmat
247	// block shmat(,,x\|SHM_EXEC) so W&X shared memory can't be created	251	// block shmat(,,x\|SHM_EXEC) so W&X shared memory can't be created
248	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),	252	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),
249	EXAMINE_ARGUMENT(2),	253	EXAMINE_ARGUMENT(2),
@@ -251,6 +255,7 @@ void memory_deny_write_execute(const char *fname) {
251	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),	255	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
252	KILL_PROCESS,	256	KILL_PROCESS,
253	RETURN_ALLOW	257	RETURN_ALLOW
		258	#endif
254	};	259	};
255	write_to_file(fd, filter, sizeof(filter));	260	write_to_file(fd, filter, sizeof(filter));
256		261


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4a396b809..8dd4ef8fa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -744,7 +744,15 @@ $ firejail \-\-machine-id
744	\fB\-\-memory-deny-write-execute	744	\fB\-\-memory-deny-write-execute
745	Install a seccomp filter to block attempts to create memory mappings	745	Install a seccomp filter to block attempts to create memory mappings
746	that are both writable and executable, to change mappings to be	746	that are both writable and executable, to change mappings to be
747	executable or to create executable shared memory.	747	executable, or to create executable shared memory. The filter examines
		748	the arguments of mmap, mmap2, mprotect and shmat system calls
		749	and kills the process if necessary.
		750	.br
		751
		752	.br
		753	Note: shmat is not implemented
		754	as a system call on some platforms including i386, and it cannot be
		755	handled by seccomp-bpf.
748		756
749	.TP	757	.TP
750	\fB\-\-mtu=number	758	\fB\-\-mtu=number


diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 6a5ec2b87..8f659237a 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh
@@ -15,6 +15,9 @@ fi
15		15
16	export PATH="$PATH:/usr/lib/firejail"	16	export PATH="$PATH:/usr/lib/firejail"
17		17
		18	echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)"
		19	./memwrexe.exp
		20
18	echo "TESTING: debug options (test/filters/debug.exp)"	21	echo "TESTING: debug options (test/filters/debug.exp)"
19	./debug.exp	22	./debug.exp
20		23


diff --git a/test/filters/memwrexe b/test/filters/memwrexe new file mode 100755 index 000000000..3a079672c --- /dev/null +++ b/test/filters/memwrexe
Binary files differ


diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c new file mode 100644 index 000000000..7e14aa23d --- /dev/null +++ b/test/filters/memwrexe.c
@@ -0,0 +1,76 @@
		1	#include <stdio.h>
		2	#include <stdlib.h>
		3	#include <string.h>
		4	#include <unistd.h>
		5	#include <sys/types.h>
		6	#include <sys/stat.h>
		7	#include <fcntl.h>
		8	#include <sys/mman.h>
		9
		10	static void usage(void) {
		11	printf("memwrexe options\n");
		12	printf("where options is:\n");
		13	printf("\tmmap - mmap test\n");
		14	printf("\tmprotect - mprotect test\n");
		15	}
		16
		17	int main(int argc, char **argv) {
		18	if (argc != 2) {
		19	fprintf(stderr, "TESTING ERROR: memwrexe insufficient params\n");
		20	usage();
		21	return 1;
		22	}
		23
		24	if (strcmp(argv[1], "mmap") == 0) {
		25	// open some file
		26	int fd = open("memwrexe.c", O_RDONLY);
		27	if (fd == -1) {
		28	fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
		29	return 1;
		30	}
		31
		32	int size = lseek(fd, 0, SEEK_END);
		33	if (size == -1) {
		34	fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
		35	return 1;
		36	}
		37
		38	void *p = mmap (0, size, PROT_WRITE\|PROT_READ\|PROT_EXEC, MAP_SHARED, fd, 0);
		39	printf("mmap successful\n");
		40
		41	// wait for expect to timeout
		42	sleep(100);
		43
		44	return 0;
		45	}
		46
		47	else if (strcmp(argv[1], "mprotect") == 0) {
		48	// open some file
		49	int fd = open("memwrexe.c", O_RDWR);
		50	if (fd == -1) {
		51	fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
		52	return 1;
		53	}
		54
		55	int size = lseek(fd, 0, SEEK_END);
		56	if (size == -1) {
		57	fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
		58	return 1;
		59	}
		60
		61	void *p = mmap (0, size, PROT_READ, MAP_SHARED, fd, 0);
		62	if (!p) {
		63	fprintf(stderr, "TESTING ERROR: cannot map file for mprotect test\n");
		64	return 1;
		65	}
		66
		67	mprotect(p, size, PROT_READ\|PROT_WRITE\|PROT_EXEC);
		68	printf("mprotect successful\n");
		69
		70	// wait for expect to timeout
		71	sleep(100);
		72
		73	return 0;
		74	}
		75	}
		76	\ No newline at end of file


diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp new file mode 100755 index 000000000..6a57b8a07 --- /dev/null +++ b/test/filters/memwrexe.exp
@@ -0,0 +1,34 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2017 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --memory-deny-write-execute ./memwrexe mmap\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Child process initialized"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"mmap successful" {puts "TESTING ERROR 2\n";exit}
		18	"Parent is shutting down"
		19	}
		20	after 100
		21
		22	send -- "firejail --memory-deny-write-execute ./memwrexe mprotect\r"
		23	expect {
		24	timeout {puts "TESTING ERROR 10\n";exit}
		25	"Child process initialized"
		26	}
		27	expect {
		28	timeout {puts "TESTING ERROR 11\n";exit}
		29	"mprotect successful" {puts "TESTING ERROR 12\n";exit}
		30	"Parent is shutting down"
		31	}
		32
		33	after 100
		34	puts "\nall done\n"