diff options
Diffstat (limited to 'src/fseccomp')
-rw-r--r-- | src/fseccomp/seccomp.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index fc0299a34..2a719725e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) { | |||
258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), | 258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), |
259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
260 | KILL_PROCESS, | 260 | KILL_PROCESS, |
261 | RETURN_ALLOW, | ||
262 | #endif | ||
263 | #ifdef SYS_memfd_create | ||
264 | // block memfd_create as it can be used to create | ||
265 | // arbitrary memory contents which can be later mapped | ||
266 | // as executable | ||
267 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1), | ||
268 | KILL_PROCESS, | ||
261 | RETURN_ALLOW | 269 | RETURN_ALLOW |
262 | #endif | 270 | #endif |
263 | }; | 271 | }; |