execute: be a little less drastic when MemoryDenyWriteExecute= hits

Let's politely refuse with EPERM rather than kill the whole thing right-away.

diff --git a/src/core/execute.c b/src/core/execute.c
index 135e567..cf52355 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1237,7 +1237,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
 
         r = seccomp_rule_add(
                         seccomp,
-                        SCMP_ACT_KILL,
+                        SCMP_ACT_ERRNO(EPERM),
                         SCMP_SYS(mmap),
                         1,
                         SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
@@ -1246,7 +1246,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
 
         r = seccomp_rule_add(
                         seccomp,
-                        SCMP_ACT_KILL,
+                        SCMP_ACT_ERRNO(EPERM),
                         SCMP_SYS(mprotect),
                         1,
                         SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));