2 files changed, 12 insertions, 2 deletions

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index e14a473fe..ef7dd5c54 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -240,6 +240,16 @@ void memory_deny_write_execute(const char *fname) {
                 KILL_PROCESS,
                 RETURN_ALLOW,
 
+                // same for pkey_mprotect(,,PROT_EXEC), where available
+#ifdef SYS_pkey_mprotect
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_PROCESS,
+                RETURN_ALLOW,
+#endif
+
 // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)
 #ifdef SYS_shmat
                 // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 9f6da87ee..e0eb723bc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -763,8 +763,8 @@ $ firejail \-\-machine-id
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect and shmat system calls
-and kills the process if necessary.
+the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system
+calls and kills the process if necessary.
 .br
 
 .br