shared/seccomp: disallow pkey_mprotect the same as mprotect for W^X mappings (#7295)

MemoryDenyWriteExecution policy could be be bypassed by using pkey_mprotect
instead of mprotect to create an executable writable mapping.

The impact is mitigated by the fact that the man page says "Note that this
feature is fully available on x86-64, and partially on x86", so hopefully
people do not rely on it as a sole security measure.

Found by Karin Hossen and Thomas Imbert from Sogeti ESEC R&D.

https://bugs.launchpad.net/bugs/1725348

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 7545c75d77055d345a08f189d122d73dbcb6b7f3..18cfe6b90a061b07e163717efdc62601c450cb21 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1869,8 +1869,9 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         memory segments as executable are prohibited.  Specifically, a system call filter is added that rejects
         <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both
         <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set,
-        <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
-        <constant>PROT_EXEC</constant> set and
+        <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        or <citerefentry><refentrytitle>pkey_mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        system calls with <constant>PROT_EXEC</constant> set and
         <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
         <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that
         generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 420edf8299d7a73127d548903ebc220cfb97bdc3..f8f757650b712200f6ada22d1416cf51338ccbcf 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1440,6 +1440,12 @@ int seccomp_memory_deny_write_execute(void) {
                 if (r < 0)
                         continue;
 
+                r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(pkey_mprotect),
+                                               1,
+                                               SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
+                if (r < 0)
+                        continue;
+
                 if (shmat_syscall != 0) {
                         r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat),
                                                        1,