diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/fseccomp/seccomp.c | 8 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
2 files changed, 10 insertions, 2 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index fc0299a34..2a719725e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) { | |||
258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), | 258 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), |
259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | 259 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), |
260 | KILL_PROCESS, | 260 | KILL_PROCESS, |
261 | RETURN_ALLOW, | ||
262 | #endif | ||
263 | #ifdef SYS_memfd_create | ||
264 | // block memfd_create as it can be used to create | ||
265 | // arbitrary memory contents which can be later mapped | ||
266 | // as executable | ||
267 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1), | ||
268 | KILL_PROCESS, | ||
261 | RETURN_ALLOW | 269 | RETURN_ALLOW |
262 | #endif | 270 | #endif |
263 | }; | 271 | }; |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c3981336d..8f5aa777f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -747,8 +747,8 @@ $ firejail \-\-machine-id | |||
747 | Install a seccomp filter to block attempts to create memory mappings | 747 | Install a seccomp filter to block attempts to create memory mappings |
748 | that are both writable and executable, to change mappings to be | 748 | that are both writable and executable, to change mappings to be |
749 | executable, or to create executable shared memory. The filter examines | 749 | executable, or to create executable shared memory. The filter examines |
750 | the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system | 750 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and |
751 | calls and kills the process if necessary. | 751 | shmat system calls and kills the process if necessary. |
752 | .br | 752 | .br |
753 | 753 | ||
754 | .br | 754 | .br |