mdwx: block memfd_create

Some profiles may need adjusting if app uses memfd_create(2) and memory-deny-write-execute was enabled.
2026-05-15 14:16:14 -06:00 · 2019-03-02 19:24:02 +02:00 · 2019-03-02 19:24:02 +02:00 · 59e30614ad
commit 59e30614ad
parent e934c66dba
7 changed files with 51 additions and 2 deletions
--- a/1
+++ b/1
@ -6,6 +6,7 @@ firejail (0.9.59) baseline; urgency=low
  * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
  * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
  * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
+  * memory-deny-write-execute now also blocks memfd_create

 firejail (0.9.58,2) baseline; urgency=low
  * cgroup flag in /etc/firejail/firejail.config file
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@ -258,6 +258,14 @@ void memory_deny_write_execute(const char *fname) {
 		BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
 		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
 		KILL_PROCESS,
+		RETURN_ALLOW,
+#endif
+#ifdef SYS_memfd_create
+		// block memfd_create as it can be used to create
+		// arbitrary memory contents which can be later mapped
+		// as executable
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
+		KILL_PROCESS,
 		RETURN_ALLOW
 #endif
 	};
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -747,8 +747,8 @@ $ firejail \-\-machine-id
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system
-calls and kills the process if necessary.
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and
+shmat system calls and kills the process if necessary.
 .br

 .br
--- a/test/filters/memwrexe
+++ b/test/filters/memwrexe
--- a/test/filters/memwrexe-32.exp
+++ b/test/filters/memwrexe-32.exp
@ -29,6 +29,18 @@ expect {
 	"mprotect successful" {puts "TESTING ERROR 12\n";exit}
 	"Parent is shutting down"
 }
+after 100
+
+send --  "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r"
+expect {
+	timeout {puts "TESTING ERROR 20\n";exit}
+	"Child process initialized"
+}
+expect {
+	timeout {puts "TESTING ERROR 21\n";exit}
+	"memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+	"Parent is shutting down"
+}

 after 100
 puts "\nall done\n"
--- a/test/filters/memwrexe.c
+++ b/test/filters/memwrexe.c
@ -6,12 +6,14 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <sys/mman.h>
+#include <sys/syscall.h>

 static void usage(void) {
 	printf("memwrexe options\n");
 	printf("where options is:\n");
 	printf("\tmmap - mmap test\n");
 	printf("\tmprotect - mprotect test\n");
+	printf("\tmemfd_create - memfd_create test\n");
 }

 int main(int argc, char **argv) {
@ -72,4 +74,18 @@ int main(int argc, char **argv) {

 		return 0;
 	}
+
+	else if (strcmp(argv[1], "memfd_create") == 0) {
+		int fd = syscall(SYS_memfd_create, "memfd_create", 0);
+		if (fd == -1) {
+			fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
+			return 1;
+		}
+		printf("memfd_create successful\n");
+
+		// wait for expect to timeout
+		sleep(100);
+
+		return 0;
+	}
 }
--- a/test/filters/memwrexe.exp
+++ b/test/filters/memwrexe.exp
@ -29,6 +29,18 @@ expect {
 	"mprotect successful" {puts "TESTING ERROR 12\n";exit}
 	"Parent is shutting down"
 }
+after 100
+
+send --  "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
+expect {
+	timeout {puts "TESTING ERROR 20\n";exit}
+	"Child process initialized"
+}
+expect {
+	timeout {puts "TESTING ERROR 21\n";exit}
+	"memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+	"Parent is shutting down"
+}

 after 100
 puts "\nall done\n"