diff options
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 4f8de8c5e..7d2ccbbce 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -19,7 +19,10 @@ | |||
19 | */ | 19 | */ |
20 | #include "fseccomp.h" | 20 | #include "fseccomp.h" |
21 | #include "../include/seccomp.h" | 21 | #include "../include/seccomp.h" |
22 | #include <sys/mman.h> | ||
23 | #include <sys/shm.h> | ||
22 | #include <sys/syscall.h> | 24 | #include <sys/syscall.h> |
25 | #include <sys/types.h> | ||
23 | 26 | ||
24 | static void add_default_list(int fd, int allow_debuggers) { | 27 | static void add_default_list(int fd, int allow_debuggers) { |
25 | #ifdef SYS_mount | 28 | #ifdef SYS_mount |
@@ -428,3 +431,54 @@ void seccomp_keep(const char *fname, char *list) { | |||
428 | // close file | 431 | // close file |
429 | close(fd); | 432 | close(fd); |
430 | } | 433 | } |
434 | |||
435 | void memory_deny_write_execute(const char *fname) { | ||
436 | // open file | ||
437 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
438 | if (fd < 0) { | ||
439 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | ||
440 | exit(1); | ||
441 | } | ||
442 | |||
443 | filter_init(fd); | ||
444 | |||
445 | // build filter | ||
446 | static const struct sock_filter filter[] = { | ||
447 | #ifndef __x86_64__ | ||
448 | // block old multiplexing mmap syscall for i386 | ||
449 | BLACKLIST(SYS_mmap), | ||
450 | #endif | ||
451 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created | ||
452 | #ifndef __x86_64__ | ||
453 | // mmap2 is used for mmap on i386 these days | ||
454 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5), | ||
455 | #else | ||
456 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5), | ||
457 | #endif | ||
458 | EXAMINE_ARGUMENT(2), | ||
459 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), | ||
460 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | ||
461 | KILL_PROCESS, | ||
462 | RETURN_ALLOW, | ||
463 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | ||
464 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | ||
465 | EXAMINE_ARGUMENT(2), | ||
466 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC), | ||
467 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | ||
468 | KILL_PROCESS, | ||
469 | RETURN_ALLOW, | ||
470 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | ||
471 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | ||
472 | EXAMINE_ARGUMENT(2), | ||
473 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), | ||
474 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | ||
475 | KILL_PROCESS, | ||
476 | RETURN_ALLOW | ||
477 | }; | ||
478 | write_to_file(fd, filter, sizeof(filter)); | ||
479 | |||
480 | filter_end_blacklist(fd); | ||
481 | |||
482 | // close file | ||
483 | close(fd); | ||
484 | } | ||