diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-11-12 17:28:48 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-11-12 17:28:48 +0100 |
| commit | b835eeb4ec1dd122b6feff2b70881265c529fcdd (patch) | |
| tree | 142441a6d10e94723e4fcb2ebb0caf711a356a00 /src/shared/seccomp-util.c | |
| parent | ce5faeac1f79f3afefcc129025a1cec0211313fb (diff) | |
| download | systemd-b835eeb4ec1dd122b6feff2b70881265c529fcdd.tar.gz | |
shared/seccomp: disallow pkey_mprotect the same as mprotect for W^X mappings (#7295)
MemoryDenyWriteExecution policy could be be bypassed by using pkey_mprotect
instead of mprotect to create an executable writable mapping.
The impact is mitigated by the fact that the man page says "Note that this
feature is fully available on x86-64, and partially on x86", so hopefully
people do not rely on it as a sole security measure.
Found by Karin Hossen and Thomas Imbert from Sogeti ESEC R&D.
https://bugs.launchpad.net/bugs/1725348
Diffstat (limited to 'src/shared/seccomp-util.c')
| -rw-r--r-- | src/shared/seccomp-util.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 420edf8299..f8f757650b 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1440,6 +1440,12 @@ int seccomp_memory_deny_write_execute(void) { if (r < 0) continue; + r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(pkey_mprotect), + 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); + if (r < 0) + continue; + if (shmat_syscall != 0) { r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat), 1, |