summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-06-23 01:35:04 +0200
committerLennart Poettering <lennart@poettering.net>2016-06-23 01:35:04 +0200
commitabd84d4d8304590a3944eee385edbebc8dc3bda1 (patch)
treecc3b148dd2db31f53618d5953269eae70a52b9ae
parent686d9ba614adfef22b1eedc6d1565e18e8778829 (diff)
execute: be a little less drastic when MemoryDenyWriteExecute= hits
Let's politely refuse with EPERM rather than kill the whole thing right-away.
-rw-r--r--src/core/execute.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 135e567222..cf52355fc4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1237,7 +1237,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
r = seccomp_rule_add(
seccomp,
- SCMP_ACT_KILL,
+ SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mmap),
1,
SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
@@ -1246,7 +1246,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
r = seccomp_rule_add(
seccomp,
- SCMP_ACT_KILL,
+ SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mprotect),
1,
SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));