diff options
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index e14a473fe..ef7dd5c54 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -240,6 +240,16 @@ void memory_deny_write_execute(const char *fname) { | |||
240 | KILL_PROCESS, | 240 | KILL_PROCESS, |
241 | RETURN_ALLOW, | 241 | RETURN_ALLOW, |
242 | 242 | ||
243 | // same for pkey_mprotect(,,PROT_EXEC), where available | ||
244 | #ifdef SYS_pkey_mprotect | ||
245 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5), | ||
246 | EXAMINE_ARGUMENT(2), | ||
247 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC), | ||
248 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | ||
249 | KILL_PROCESS, | ||
250 | RETURN_ALLOW, | ||
251 | #endif | ||
252 | |||
243 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) | 253 | // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) |
244 | #ifdef SYS_shmat | 254 | #ifdef SYS_shmat |
245 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | 255 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created |