Merge pull request #4495 from topimiettinen/block-shmat-exec

seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecute
2025-03-13 00:58:27 +03:00 · 2016-10-28 15:41:07 +02:00 · 2016-10-28 15:41:07 +02:00 · fa1f250d6f
commit fa1f250d6f
parent 1740c5a807 d2ffa389b8
2 changed files with 18 additions and 4 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -1525,12 +1525,15 @@
        <term><varname>MemoryDenyWriteExecute=</varname></term>

        <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and
-        executable at the same time, or to change existing memory mappings to become executable are prohibited.
+        executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory
+        segments as executable are prohibited.
        Specifically, a system call filter is added that rejects
        <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
-        system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set
-        and <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
-        system calls with <constant>PROT_EXEC</constant> set. Note that this option is incompatible with programs
+        system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set,
+        <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        system calls with <constant>PROT_EXEC</constant> set and
+        <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        system calls with <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs
        that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making
        use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes
        harder for software exploits to change running code dynamically.
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -29,8 +29,10 @@
 #include <sys/mman.h>
 #include <sys/personality.h>
 #include <sys/prctl.h>
+#include <sys/shm.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
+#include <sys/types.h>
 #include <sys/un.h>
 #include <unistd.h>
 #include <utmpx.h>
@ -1394,6 +1396,15 @@ static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c)
        if (r < 0)
                goto finish;

+        r = seccomp_rule_add(
+                        seccomp,
+                        SCMP_ACT_ERRNO(EPERM),
+                        SCMP_SYS(shmat),
+                        1,
+                        SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
+        if (r < 0)
+                goto finish;
+
        r = seccomp_load(seccomp);

 finish: