From ce17788a48dfb059bf3fff5211d57f672d017ee9 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 11 Nov 2017 11:47:30 +0200 Subject: seccomp mdwx: block pkey_mprotect like mprotect --- src/fseccomp/seccomp.c | 10 ++++++++++ src/man/firejail.txt | 4 ++-- 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index e14a473fe..ef7dd5c54 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c @@ -240,6 +240,16 @@ void memory_deny_write_execute(const char *fname) { KILL_PROCESS, RETURN_ALLOW, + // same for pkey_mprotect(,,PROT_EXEC), where available +#ifdef SYS_pkey_mprotect + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5), + EXAMINE_ARGUMENT(2), + BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), + KILL_PROCESS, + RETURN_ALLOW, +#endif + // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le) #ifdef SYS_shmat // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9f6da87ee..e0eb723bc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -763,8 +763,8 @@ $ firejail \-\-machine-id Install a seccomp filter to block attempts to create memory mappings that are both writable and executable, to change mappings to be executable, or to create executable shared memory. The filter examines -the arguments of mmap, mmap2, mprotect and shmat system calls -and kills the process if necessary. +the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system +calls and kills the process if necessary. .br .br -- cgit v1.2.3-70-g09d2