From ad262caef9f095e00ce51945020142838d93960e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 18 Aug 2017 08:09:38 -0400 Subject: memory-deny-write-execute testing --- src/fseccomp/seccomp.c | 5 +++++ src/man/firejail.txt | 10 +++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index c49681476..0112d8aec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c @@ -237,6 +237,7 @@ void memory_deny_write_execute(const char *fname) { BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), KILL_PROCESS, RETURN_ALLOW, + // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), EXAMINE_ARGUMENT(2), @@ -244,6 +245,9 @@ void memory_deny_write_execute(const char *fname) { BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), KILL_PROCESS, RETURN_ALLOW, + +// shmat is not implemented as a syscall on some platforms (i386, possibly arm) +#ifdef SYS_shmat // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), EXAMINE_ARGUMENT(2), @@ -251,6 +255,7 @@ void memory_deny_write_execute(const char *fname) { BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), KILL_PROCESS, RETURN_ALLOW +#endif }; write_to_file(fd, filter, sizeof(filter)); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4a396b809..8dd4ef8fa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -744,7 +744,15 @@ $ firejail \-\-machine-id \fB\-\-memory-deny-write-execute Install a seccomp filter to block attempts to create memory mappings that are both writable and executable, to change mappings to be -executable or to create executable shared memory. +executable, or to create executable shared memory. The filter examines +the arguments of mmap, mmap2, mprotect and shmat system calls +and kills the process if necessary. +.br + +.br +Note: shmat is not implemented +as a system call on some platforms including i386, and it cannot be +handled by seccomp-bpf. .TP \fB\-\-mtu=number -- cgit v1.2.3-54-g00ecf