diff options
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index c49681476..0112d8aec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -237,6 +237,7 @@ void memory_deny_write_execute(const char *fname) { | |||
237 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | 237 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), |
238 | KILL_PROCESS, | 238 | KILL_PROCESS, |
239 | RETURN_ALLOW, | 239 | RETURN_ALLOW, |
240 | |||
240 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | 241 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable |
241 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | 242 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), |
242 | EXAMINE_ARGUMENT(2), | 243 | EXAMINE_ARGUMENT(2), |
@@ -244,6 +245,9 @@ void memory_deny_write_execute(const char *fname) { | |||
244 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | 245 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), |
245 | KILL_PROCESS, | 246 | KILL_PROCESS, |
246 | RETURN_ALLOW, | 247 | RETURN_ALLOW, |
248 | |||
249 | // shmat is not implemented as a syscall on some platforms (i386, possibly arm) | ||
250 | #ifdef SYS_shmat | ||
247 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 251 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |
248 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | 252 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), |
249 | EXAMINE_ARGUMENT(2), | 253 | EXAMINE_ARGUMENT(2), |
@@ -251,6 +255,7 @@ void memory_deny_write_execute(const char *fname) { | |||
251 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 255 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
252 | KILL_PROCESS, | 256 | KILL_PROCESS, |
253 | RETURN_ALLOW | 257 | RETURN_ALLOW |
258 | #endif | ||
254 | }; | 259 | }; |
255 | write_to_file(fd, filter, sizeof(filter)); | 260 | write_to_file(fd, filter, sizeof(filter)); |
256 | 261 | ||