From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Jun 2016 23:35:04 +0000 (+0200)
Subject: execute: be a little less drastic when MemoryDenyWriteExecute= hits
X-Git-Tag: v231~128^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=abd84d4d8304590a3944eee385edbebc8dc3bda1;p=platform%2Fupstream%2Fsystemd.git

execute: be a little less drastic when MemoryDenyWriteExecute= hits

Let's politely refuse with EPERM rather than kill the whole thing right-away.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index 135e567..cf52355 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1237,7 +1237,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
 
         r = seccomp_rule_add(
                         seccomp,
-                        SCMP_ACT_KILL,
+                        SCMP_ACT_ERRNO(EPERM),
                         SCMP_SYS(mmap),
                         1,
                         SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
@@ -1246,7 +1246,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
 
         r = seccomp_rule_add(
                         seccomp,
-                        SCMP_ACT_KILL,
+                        SCMP_ACT_ERRNO(EPERM),
                         SCMP_SYS(mprotect),
                         1,
                         SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));