diff options
author | Lennart Poettering <lennart@poettering.net> | 2017-02-08 15:14:02 +0100 |
---|---|---|
committer | Martin Pitt <martinpitt@users.noreply.github.com> | 2017-02-08 15:14:02 +0100 |
commit | 8a50cf6957f12dbb1f90411659da9b959a1983ff (patch) | |
tree | 478a9a32d69f6af15cee06ec346e140d686143a5 /man/systemd.exec.xml | |
parent | b6f08ecda90b5ccb6c9c09e5976a627f5918dc0b (diff) |
seccomp: MemoryDenyWriteExecute= should affect both mmap() and mmap2() (#5254)
On i386 we block the old mmap() call entirely, since we cannot properly
filter it. Thankfully it hasn't been used by glibc since quite some
time.
Fixes: #5240
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index bb38ea2467..fd47b0a20a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1607,22 +1607,20 @@ <term><varname>MemoryDenyWriteExecute=</varname></term> <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and - executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory - segments as executable are prohibited. - Specifically, a system call filter is added that rejects - <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, - <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system calls with <constant>PROT_EXEC</constant> set and - <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system calls with <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs - that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making - use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes - harder for software exploits to change running code dynamically. - If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> - capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> - is implied. - </para></listitem> + executable at the same time, or to change existing memory mappings to become executable, or mapping shared + memory segments as executable are prohibited. Specifically, a system call filter is added that rejects + <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both + <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, + <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with + <constant>PROT_EXEC</constant> set and + <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with + <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs that generate program + code dynamically at runtime, such as JIT execution engines, or programs compiled making use of the code + "trampoline" feature of various C compilers. This option improves service security, as it makes harder for + software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and + partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. If running + in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting + <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied. </para></listitem> </varlistentry> <varlistentry> |