From 53606495188a5cc16ea67e3b65561127a98925b3 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 29 Jul 2017 19:53:27 +0300
Subject: Memory-deny-write-execute feature

Feature to block attempts to create writable and executable memory.
---
 src/fseccomp/seccomp.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

(limited to 'src/fseccomp/seccomp.c')

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 4f8de8c5e..7d2ccbbce 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -19,7 +19,10 @@
 */
 #include "fseccomp.h"
 #include "../include/seccomp.h"
+#include <sys/mman.h>
+#include <sys/shm.h>
 #include <sys/syscall.h>
+#include <sys/types.h>
 
 static void add_default_list(int fd, int allow_debuggers) {
 #ifdef SYS_mount
@@ -428,3 +431,54 @@ void seccomp_keep(const char *fname, char *list) {
 	// close file
 	close(fd);
 }
+
+void memory_deny_write_execute(const char *fname) {
+	// open file
+	int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+	if (fd < 0) {
+		fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+		exit(1);
+	}
+
+	filter_init(fd);
+
+	// build filter
+	static const struct sock_filter filter[] = {
+#ifndef __x86_64__
+		// block old multiplexing mmap syscall for i386
+		BLACKLIST(SYS_mmap),
+#endif
+		// block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
+#ifndef __x86_64__
+		// mmap2 is used for mmap on i386 these days
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5),
+#else
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5),
+#endif
+		EXAMINE_ARGUMENT(2),
+		BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
+		KILL_PROCESS,
+		RETURN_ALLOW,
+		// block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
+		EXAMINE_ARGUMENT(2),
+		BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+		KILL_PROCESS,
+		RETURN_ALLOW,
+		// block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),
+		EXAMINE_ARGUMENT(2),
+		BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
+		KILL_PROCESS,
+		RETURN_ALLOW
+	};
+	write_to_file(fd, filter, sizeof(filter));
+
+	filter_end_blacklist(fd);
+
+	// close file
+	close(fd);
+}
-- 
cgit v1.2.3-54-g00ecf