use SC_ALLOW_ARG_MASK to limit mmap protections

author Damien Miller <djm@mindrot.org>

Fri, 23 Aug 2019 00:19:30 +0000 (10:19 +1000)

committer Damien Miller <djm@mindrot.org>

Fri, 23 Aug 2019 00:19:30 +0000 (10:19 +1000)
author Damien Miller <djm@mindrot.org>
Fri, 23 Aug 2019 00:19:30 +0000 (10:19 +1000)
committer Damien Miller <djm@mindrot.org>
Fri, 23 Aug 2019 00:19:30 +0000 (10:19 +1000)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c

index 7b44755cb6dc23bf52695d869cd5cf118d3fb970..840c5232bfefaabdbdd7e37dc4eec204490698e0 100644 (file)
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -216,10 +216,10 @@ static const struct sock_filter preauth_insns[] = {
         SC_ALLOW(__NR_madvise),
  #endif
  #ifdef __NR_mmap
-       SC_ALLOW(__NR_mmap),
+       SC_ALLOW_ARG_MASK(__NR_mmap, 2, PROT_READ|PROT_WRITE|PROT_NONE),
  #endif
  #ifdef __NR_mmap2
-       SC_ALLOW(__NR_mmap2),
+       SC_ALLOW_ARG_MASK(__NR_mmap2, 2, PROT_READ|PROT_WRITE|PROT_NONE),
  #endif
  #ifdef __NR_mprotect
         SC_ALLOW_ARG_MASK(__NR_mprotect, 2, PROT_READ|PROT_WRITE|PROT_NONE),
author	Damien Miller <djm@mindrot.org>
	Fri, 23 Aug 2019 00:19:30 +0000 (10:19 +1000)
committer	Damien Miller <djm@mindrot.org>
	Fri, 23 Aug 2019 00:19:30 +0000 (10:19 +1000)