core: Restrict mmap and mprotect with PAGE_WRITE|PAGE_EXEC (#3319) (#3379)

New exec boolean MemoryDenyWriteExecute, when set, installs a seccomp filter to reject mmap(2) with PAGE_WRITE|PAGE_EXEC and mprotect(2) with PAGE_EXEC.
author: Topi Miettinen <topimiettinen@users.noreply.github.com> 2016-06-03 15:58:18 +0000
committer: Lennart Poettering <lennart@poettering.net> 2016-06-03 17:58:18 +0200
commit: f3e43635932c14f8f0aea078adf3bfe09a9ba683 (patch)
tree: 33371a308779fe106a49449cab1841ea1b4ec407 /src/shared
parent: de4503c8d9ea9799437695c988296cc532530a14 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index bf0b2e89e3..8f4f93ee0c 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -158,7 +158,7 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen
                        "SendSIGHUP", "SendSIGKILL", "WakeSystem", "DefaultDependencies",
                        "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "RemainAfterExit",
                        "PrivateTmp", "PrivateDevices", "PrivateNetwork", "NoNewPrivileges",
-                       "SyslogLevelPrefix", "Delegate", "RemainAfterElapse")) {
+                       "SyslogLevelPrefix", "Delegate", "RemainAfterElapse", "MemoryDenyWriteExecute")) {
 
                 r = parse_boolean(eq);
                 if (r < 0)
author	Topi Miettinen <topimiettinen@users.noreply.github.com>	2016-06-03 15:58:18 +0000
committer	Lennart Poettering <lennart@poettering.net>	2016-06-03 17:58:18 +0200
commit	f3e43635932c14f8f0aea078adf3bfe09a9ba683 (patch)
tree	33371a308779fe106a49449cab1841ea1b4ec407 /src/shared
parent	de4503c8d9ea9799437695c988296cc532530a14 (diff)