From abd84d4d8304590a3944eee385edbebc8dc3bda1 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 23 Jun 2016 01:35:04 +0200
Subject: execute: be a little less drastic when MemoryDenyWriteExecute= hits

Let's politely refuse with EPERM rather than kill the whole thing right-away.
---
 src/core/execute.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/core')

diff --git a/src/core/execute.c b/src/core/execute.c
index 135e567222..cf52355fc4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1237,7 +1237,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
 
         r = seccomp_rule_add(
                         seccomp,
-                        SCMP_ACT_KILL,
+                        SCMP_ACT_ERRNO(EPERM),
                         SCMP_SYS(mmap),
                         1,
                         SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
@@ -1246,7 +1246,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
 
         r = seccomp_rule_add(
                         seccomp,
-                        SCMP_ACT_KILL,
+                        SCMP_ACT_ERRNO(EPERM),
                         SCMP_SYS(mprotect),
                         1,
                         SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
-- 
cgit v1.2.3-54-g00ecf