core: Restrict mmap and mprotect with PAGE_WRITE|PAGE_EXEC (#3319) (#3379)

New exec boolean MemoryDenyWriteExecute, when set, installs a seccomp filter to reject mmap(2) with PAGE_WRITE|PAGE_EXEC and mprotect(2) with PAGE_EXEC.
author: Topi Miettinen <topimiettinen@users.noreply.github.com> 2016-06-03 15:58:18 +0000
committer: Lennart Poettering <lennart@poettering.net> 2016-06-03 17:58:18 +0200
commit: f3e43635932c14f8f0aea078adf3bfe09a9ba683 (patch)
tree: 33371a308779fe106a49449cab1841ea1b4ec407 /src/core/dbus-execute.c
parent: de4503c8d9ea9799437695c988296cc532530a14 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index de29d5da04..4c88c41127 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -719,6 +719,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("RestrictAddressFamilies", "(bas)", property_get_address_families, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("RuntimeDirectoryMode", "u", bus_property_get_mode, offsetof(ExecContext, runtime_directory_mode), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("RuntimeDirectory", "as", NULL, offsetof(ExecContext, runtime_directory), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_VTABLE_END
 };
 
@@ -1056,7 +1057,7 @@ int bus_exec_context_set_transient_property(
         } else if (STR_IN_SET(name,
                               "IgnoreSIGPIPE", "TTYVHangup", "TTYReset",
                               "PrivateTmp", "PrivateDevices", "PrivateNetwork",
-                              "NoNewPrivileges", "SyslogLevelPrefix")) {
+                              "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute")) {
                 int b;
 
                 r = sd_bus_message_read(message, "b", &b);
@@ -1080,6 +1081,8 @@ int bus_exec_context_set_transient_property(
                                 c->no_new_privileges = b;
                         else if (streq(name, "SyslogLevelPrefix"))
                                 c->syslog_level_prefix = b;
+                        else if (streq(name, "MemoryDenyWriteExecute"))
+                                c->memory_deny_write_execute = b;
 
                         unit_write_drop_in_private_format(u, mode, name, "%s=%s", name, yes_no(b));
                 }
author	Topi Miettinen <topimiettinen@users.noreply.github.com>	2016-06-03 15:58:18 +0000
committer	Lennart Poettering <lennart@poettering.net>	2016-06-03 17:58:18 +0200
commit	f3e43635932c14f8f0aea078adf3bfe09a9ba683 (patch)
tree	33371a308779fe106a49449cab1841ea1b4ec407 /src/core/dbus-execute.c
parent	de4503c8d9ea9799437695c988296cc532530a14 (diff)