diff options
author | Djalal Harouni <tixxdz@opendz.org> | 2016-10-28 15:41:07 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-28 15:41:07 +0200 |
commit | fa1f250d6fc2141dd6c116424e25dba5aceeb85c (patch) | |
tree | b6155c62af999f8feb2f52f91312889a5abb28a2 /src | |
parent | 1740c5a807708e74a7270bfb23beac2039135859 (diff) | |
parent | d2ffa389b8112282be1633bb4638f6f47e159299 (diff) |
Merge pull request #4495 from topimiettinen/block-shmat-exec
seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecute
Diffstat (limited to 'src')
-rw-r--r-- | src/core/execute.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 7f343c4902..ae9df41b99 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -29,8 +29,10 @@ #include <sys/mman.h> #include <sys/personality.h> #include <sys/prctl.h> +#include <sys/shm.h> #include <sys/socket.h> #include <sys/stat.h> +#include <sys/types.h> #include <sys/un.h> #include <unistd.h> #include <utmpx.h> @@ -1394,6 +1396,15 @@ static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) if (r < 0) goto finish; + r = seccomp_rule_add( + seccomp, + SCMP_ACT_ERRNO(EPERM), + SCMP_SYS(shmat), + 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC)); + if (r < 0) + goto finish; + r = seccomp_load(seccomp); finish: |