[openssh-commits] [openssh] 01/01: use SC_ALLOW_ARG_MASK to limit mmap protections
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri Aug 23 10:20:10 AEST 2019
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit e83c989bfd9fc9838b7dfb711d1dc6da81814045
Author: Damien Miller <djm at mindrot.org>
Date: Fri Aug 23 10:19:30 2019 +1000
use SC_ALLOW_ARG_MASK to limit mmap protections
Restrict to PROT_(READ|WRITE|NONE), i.e. exclude PROT_EXEC
---
sandbox-seccomp-filter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 7b44755c..840c5232 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -216,10 +216,10 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW(__NR_madvise),
#endif
#ifdef __NR_mmap
- SC_ALLOW(__NR_mmap),
+ SC_ALLOW_ARG_MASK(__NR_mmap, 2, PROT_READ|PROT_WRITE|PROT_NONE),
#endif
#ifdef __NR_mmap2
- SC_ALLOW(__NR_mmap2),
+ SC_ALLOW_ARG_MASK(__NR_mmap2, 2, PROT_READ|PROT_WRITE|PROT_NONE),
#endif
#ifdef __NR_mprotect
SC_ALLOW_ARG_MASK(__NR_mprotect, 2, PROT_READ|PROT_WRITE|PROT_NONE),
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list