From b835eeb4ec1dd122b6feff2b70881265c529fcdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 12 Nov 2017 17:28:48 +0100 Subject: [PATCH] shared/seccomp: disallow pkey_mprotect the same as mprotect for W^X mappings (#7295) MemoryDenyWriteExecution policy could be be bypassed by using pkey_mprotect instead of mprotect to create an executable writable mapping. The impact is mitigated by the fact that the man page says "Note that this feature is fully available on x86-64, and partially on x86", so hopefully people do not rely on it as a sole security measure. Found by Karin Hossen and Thomas Imbert from Sogeti ESEC R&D. https://bugs.launchpad.net/bugs/1725348 --- man/systemd.exec.xml | 5 +++-- src/shared/seccomp-util.c | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 7545c75d77..18cfe6b90a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1869,8 +1869,9 @@ CapabilityBoundingSet=~CAP_B CAP_C memory segments as executable are prohibited. Specifically, a system call filter is added that rejects mmap2 system calls with both PROT_EXEC and PROT_WRITE set, - mprotect2 system calls with - PROT_EXEC set and + mprotect2 + or pkey_mprotect2 + system calls with PROT_EXEC set and shmat2 system calls with SHM_EXEC set. Note that this option is incompatible with programs and libraries that generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 420edf8299..f8f757650b 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1440,6 +1440,12 @@ int seccomp_memory_deny_write_execute(void) { if (r < 0) continue; + r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(pkey_mprotect), + 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); + if (r < 0) + continue; + if (shmat_syscall != 0) { r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat), 1,