diff options
| author | Damien Miller <djm@mindrot.org> | 2019-08-23 10:19:30 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-08-23 10:19:30 +1000 |
| commit | e83c989bfd9fc9838b7dfb711d1dc6da81814045 (patch) | |
| tree | fa5620c10fa6cb21df608febbefa032f116c308a /sandbox-seccomp-filter.c | |
| parent | f6906f9bf12c968debec3671bbf19926ff8a235b (diff) | |
use SC_ALLOW_ARG_MASK to limit mmap protections
Restrict to PROT_(READ|WRITE|NONE), i.e. exclude PROT_EXEC
Diffstat (limited to 'sandbox-seccomp-filter.c')
| -rw-r--r-- | sandbox-seccomp-filter.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 7b44755cb..840c5232b 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
| @@ -216,10 +216,10 @@ static const struct sock_filter preauth_insns[] = { | |||
| 216 | SC_ALLOW(__NR_madvise), | 216 | SC_ALLOW(__NR_madvise), |
| 217 | #endif | 217 | #endif |
| 218 | #ifdef __NR_mmap | 218 | #ifdef __NR_mmap |
| 219 | SC_ALLOW(__NR_mmap), | 219 | SC_ALLOW_ARG_MASK(__NR_mmap, 2, PROT_READ|PROT_WRITE|PROT_NONE), |
| 220 | #endif | 220 | #endif |
| 221 | #ifdef __NR_mmap2 | 221 | #ifdef __NR_mmap2 |
| 222 | SC_ALLOW(__NR_mmap2), | 222 | SC_ALLOW_ARG_MASK(__NR_mmap2, 2, PROT_READ|PROT_WRITE|PROT_NONE), |
| 223 | #endif | 223 | #endif |
| 224 | #ifdef __NR_mprotect | 224 | #ifdef __NR_mprotect |
| 225 | SC_ALLOW_ARG_MASK(__NR_mprotect, 2, PROT_READ|PROT_WRITE|PROT_NONE), | 225 | SC_ALLOW_ARG_MASK(__NR_mprotect, 2, PROT_READ|PROT_WRITE|PROT_NONE), |