diff options
author | Damien Miller <djm@mindrot.org> | 2019-08-23 10:19:30 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-08-23 10:19:30 +1000 |
commit | e83c989bfd9fc9838b7dfb711d1dc6da81814045 (patch) | |
tree | fa5620c10fa6cb21df608febbefa032f116c308a /sandbox-seccomp-filter.c | |
parent | f6906f9bf12c968debec3671bbf19926ff8a235b (diff) | |
download | openssh-git-e83c989bfd9fc9838b7dfb711d1dc6da81814045.tar.gz |
use SC_ALLOW_ARG_MASK to limit mmap protections
Restrict to PROT_(READ|WRITE|NONE), i.e. exclude PROT_EXEC
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r-- | sandbox-seccomp-filter.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 7b44755c..840c5232 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -216,10 +216,10 @@ static const struct sock_filter preauth_insns[] = { SC_ALLOW(__NR_madvise), #endif #ifdef __NR_mmap - SC_ALLOW(__NR_mmap), + SC_ALLOW_ARG_MASK(__NR_mmap, 2, PROT_READ|PROT_WRITE|PROT_NONE), #endif #ifdef __NR_mmap2 - SC_ALLOW(__NR_mmap2), + SC_ALLOW_ARG_MASK(__NR_mmap2, 2, PROT_READ|PROT_WRITE|PROT_NONE), #endif #ifdef __NR_mprotect SC_ALLOW_ARG_MASK(__NR_mprotect, 2, PROT_READ|PROT_WRITE|PROT_NONE), |