1 files changed, 8 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index fc0299a34..2a719725e 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) {
                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
                KILL_PROCESS,
+                RETURN_ALLOW,
+#endif
+#ifdef SYS_memfd_create
+                // block memfd_create as it can be used to create
+                // arbitrary memory contents which can be later mapped
+                // as executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
+                KILL_PROCESS,
                RETURN_ALLOW
 #endif
        };

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index fc0299a34..2a719725e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) {
258	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),	258	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
259	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),	259	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
260	KILL_PROCESS,	260	KILL_PROCESS,
		261	RETURN_ALLOW,
		262	#endif
		263	#ifdef SYS_memfd_create
		264	// block memfd_create as it can be used to create
		265	// arbitrary memory contents which can be later mapped
		266	// as executable
		267	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
		268	KILL_PROCESS,
261	RETURN_ALLOW	269	RETURN_ALLOW
262	#endif	270	#endif
263	};	271	};