diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-06-23 01:35:04 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-06-23 01:35:04 +0200 |
commit | abd84d4d8304590a3944eee385edbebc8dc3bda1 (patch) | |
tree | cc3b148dd2db31f53618d5953269eae70a52b9ae /src | |
parent | 686d9ba614adfef22b1eedc6d1565e18e8778829 (diff) |
execute: be a little less drastic when MemoryDenyWriteExecute= hits
Let's politely refuse with EPERM rather than kill the whole thing right-away.
Diffstat (limited to 'src')
-rw-r--r-- | src/core/execute.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 135e567222..cf52355fc4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1237,7 +1237,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) { r = seccomp_rule_add( seccomp, - SCMP_ACT_KILL, + SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mmap), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE)); @@ -1246,7 +1246,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) { r = seccomp_rule_add( seccomp, - SCMP_ACT_KILL, + SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mprotect), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); |