From 59e30614ad1cd7a8d6f3c685472fada37d1ed2d7 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 2 Mar 2019 19:24:02 +0200
Subject: mdwx: block memfd_create

Some profiles may need adjusting if app uses memfd_create(2) and
memory-deny-write-execute was enabled.
---
 src/fseccomp/seccomp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/fseccomp/seccomp.c')

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index fc0299a34..2a719725e 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) {
 		BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
 		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
 		KILL_PROCESS,
+		RETURN_ALLOW,
+#endif
+#ifdef SYS_memfd_create
+		// block memfd_create as it can be used to create
+		// arbitrary memory contents which can be later mapped
+		// as executable
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
+		KILL_PROCESS,
 		RETURN_ALLOW
 #endif
 	};
-- 
cgit v1.2.3-54-g00ecf