seccomp: allow shmat to be a separate syscall on architectures which use a multiplexer
After https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0d6040d46817, those syscalls have their separate numbers and we can block them. But glibc might still use the old ones. So let's just do a best-effort block and not assume anything about how effective it is.
This commit is contained in:
parent
e55bdf9b6c
commit
67fb5f338f
|
@ -1519,6 +1519,7 @@ int seccomp_memory_deny_write_execute(void) {
|
||||||
case SCMP_ARCH_X86:
|
case SCMP_ARCH_X86:
|
||||||
filter_syscall = SCMP_SYS(mmap2);
|
filter_syscall = SCMP_SYS(mmap2);
|
||||||
block_syscall = SCMP_SYS(mmap);
|
block_syscall = SCMP_SYS(mmap);
|
||||||
|
shmat_syscall = SCMP_SYS(shmat);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case SCMP_ARCH_PPC:
|
case SCMP_ARCH_PPC:
|
||||||
|
@ -1585,7 +1586,7 @@ int seccomp_memory_deny_write_execute(void) {
|
||||||
continue;
|
continue;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (shmat_syscall != 0) {
|
if (shmat_syscall > 0) {
|
||||||
r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat),
|
r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat),
|
||||||
1,
|
1,
|
||||||
SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
|
SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
|
||||||
|
|
|
@ -548,15 +548,18 @@ static void test_memory_deny_write_execute_shmat(void) {
|
||||||
assert_se(seccomp_memory_deny_write_execute() >= 0);
|
assert_se(seccomp_memory_deny_write_execute() >= 0);
|
||||||
|
|
||||||
p = shmat(shmid, NULL, SHM_EXEC);
|
p = shmat(shmid, NULL, SHM_EXEC);
|
||||||
|
log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(SHM_EXEC): %m");
|
||||||
#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
|
#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
|
||||||
assert_se(p == MAP_FAILED);
|
assert_se(p == MAP_FAILED);
|
||||||
assert_se(errno == EPERM);
|
assert_se(errno == EPERM);
|
||||||
#else /* __i386__, __powerpc64__, and "unknown" architectures */
|
|
||||||
assert_se(p != MAP_FAILED);
|
|
||||||
assert_se(shmdt(p) == 0);
|
|
||||||
#endif
|
#endif
|
||||||
|
/* Depending on kernel, libseccomp, and glibc versions, other architectures
|
||||||
|
* might fail or not. Let's not assert success. */
|
||||||
|
if (p != MAP_FAILED)
|
||||||
|
assert_se(shmdt(p) == 0);
|
||||||
|
|
||||||
p = shmat(shmid, NULL, 0);
|
p = shmat(shmid, NULL, 0);
|
||||||
|
log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(0): %m");
|
||||||
assert_se(p != MAP_FAILED);
|
assert_se(p != MAP_FAILED);
|
||||||
assert_se(shmdt(p) == 0);
|
assert_se(shmdt(p) == 0);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue