From cf52e7dc50c044e2a8054e58d16ec66f23f0c5fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 10 Nov 2017 10:48:52 +0100 Subject: [PATCH] shared/seccomp: disallow pkey_mprotect the same as mprotect for W^X mappings MemoryDenyWriteExecution policy could be be bypassed by using pkey_mprotect instead of mprotect to create an executable writable mapping. Found by Karin Hossen and Thomas Imbert from Sogeti ESEC R&D. https://bugs.launchpad.net/bugs/1725348 --- man/systemd.exec.xml | 5 +++-- src/shared/seccomp-util.c | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 6843c208ca..401f51b66a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1868,8 +1868,9 @@ CapabilityBoundingSet=~CAP_B CAP_C memory segments as executable are prohibited. Specifically, a system call filter is added that rejects mmap2 system calls with both PROT_EXEC and PROT_WRITE set, - mprotect2 system calls with - PROT_EXEC set and + mprotect2 + or pkey_mprotect2 + system calls with PROT_EXEC set and shmat2 system calls with SHM_EXEC set. Note that this option is incompatible with programs and libraries that generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 14a75bfffe..2661895751 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1433,6 +1433,12 @@ int seccomp_memory_deny_write_execute(void) { if (r < 0) continue; + r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(pkey_mprotect), + 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); + if (r < 0) + continue; + if (shmat_syscall != 0) { r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat), 1, -- 2.14.3