diff options
author | Damien Miller <djm@mindrot.org> | 2019-08-23 10:19:30 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-08-23 10:19:30 +1000 |
commit | e83c989bfd9fc9838b7dfb711d1dc6da81814045 (patch) | |
tree | fa5620c10fa6cb21df608febbefa032f116c308a /sandbox-seccomp-filter.c | |
parent | f6906f9bf12c968debec3671bbf19926ff8a235b (diff) |
use SC_ALLOW_ARG_MASK to limit mmap protections
Restrict to PROT_(READ|WRITE|NONE), i.e. exclude PROT_EXEC
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r-- | sandbox-seccomp-filter.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 7b44755cb..840c5232b 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -216,10 +216,10 @@ static const struct sock_filter preauth_insns[] = { | |||
216 | SC_ALLOW(__NR_madvise), | 216 | SC_ALLOW(__NR_madvise), |
217 | #endif | 217 | #endif |
218 | #ifdef __NR_mmap | 218 | #ifdef __NR_mmap |
219 | SC_ALLOW(__NR_mmap), | 219 | SC_ALLOW_ARG_MASK(__NR_mmap, 2, PROT_READ|PROT_WRITE|PROT_NONE), |
220 | #endif | 220 | #endif |
221 | #ifdef __NR_mmap2 | 221 | #ifdef __NR_mmap2 |
222 | SC_ALLOW(__NR_mmap2), | 222 | SC_ALLOW_ARG_MASK(__NR_mmap2, 2, PROT_READ|PROT_WRITE|PROT_NONE), |
223 | #endif | 223 | #endif |
224 | #ifdef __NR_mprotect | 224 | #ifdef __NR_mprotect |
225 | SC_ALLOW_ARG_MASK(__NR_mprotect, 2, PROT_READ|PROT_WRITE|PROT_NONE), | 225 | SC_ALLOW_ARG_MASK(__NR_mprotect, 2, PROT_READ|PROT_WRITE|PROT_NONE), |