seccomp: MemoryDenyWriteExecute= should affect both mmap() and mmap2() (#5254)

On i386 we block the old mmap() call entirely, since we cannot properly filter it. Thankfully it hasn't been used by glibc since quite some time. Fixes: #5240
author: Lennart Poettering <lennart@poettering.net> 2017-02-08 15:14:02 +0100
committer: Martin Pitt <martinpitt@users.noreply.github.com> 2017-02-08 15:14:02 +0100
commit: 8a50cf6957f12dbb1f90411659da9b959a1983ff (patch)
tree: 478a9a32d69f6af15cee06ec346e140d686143a5 /src/shared/seccomp-util.h
parent: b6f08ecda90b5ccb6c9c09e5976a627f5918dc0b (diff)
download: systemd-8a50cf6957f12dbb1f90411659da9b959a1983ff.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 2563fcd38a..bfbfb5ab3d 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -84,6 +84,13 @@ int seccomp_memory_deny_write_execute(void);
 #define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
 #endif
 
+/* mmap() blocking is only available on some archs for now */
+#if defined(__x86_64__) || defined(__i386__)
+#define SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN 0
+#else
+#define SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN 1
+#endif
+
 extern const uint32_t seccomp_local_archs[];
 
 #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
author	Lennart Poettering <lennart@poettering.net>	2017-02-08 15:14:02 +0100
committer	Martin Pitt <martinpitt@users.noreply.github.com>	2017-02-08 15:14:02 +0100
commit	8a50cf6957f12dbb1f90411659da9b959a1983ff (patch)
tree	478a9a32d69f6af15cee06ec346e140d686143a5 /src/shared/seccomp-util.h
parent	b6f08ecda90b5ccb6c9c09e5976a627f5918dc0b (diff)
download	systemd-8a50cf6957f12dbb1f90411659da9b959a1983ff.tar.gz