1 files changed, 10 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index e14a473fe..ef7dd5c54 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -240,6 +240,16 @@ void memory_deny_write_execute(const char *fname) {
                KILL_PROCESS,
                RETURN_ALLOW,
+                // same for pkey_mprotect(,,PROT_EXEC), where available
+#ifdef SYS_pkey_mprotect
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_PROCESS,
+                RETURN_ALLOW,
+#endif
 // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)
 #ifdef SYS_shmat
                // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index e14a473fe..ef7dd5c54 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -240,6 +240,16 @@ void memory_deny_write_execute(const char *fname) {
240	KILL_PROCESS,	240	KILL_PROCESS,
241	RETURN_ALLOW,	241	RETURN_ALLOW,
242		242
		243	// same for pkey_mprotect(,,PROT_EXEC), where available
		244	#ifdef SYS_pkey_mprotect
		245	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5),
		246	EXAMINE_ARGUMENT(2),
		247	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
		248	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
		249	KILL_PROCESS,
		250	RETURN_ALLOW,
		251	#endif
		252
243	// shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)	253	// shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)
244	#ifdef SYS_shmat	254	#ifdef SYS_shmat
245	// block shmat(,,x\|SHM_EXEC) so W&X shared memory can't be created	255	// block shmat(,,x\|SHM_EXEC) so W&X shared memory can't be created