diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.exec.xml | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index bb38ea2467..fd47b0a20a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1607,22 +1607,20 @@ <term><varname>MemoryDenyWriteExecute=</varname></term> <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and - executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory - segments as executable are prohibited. - Specifically, a system call filter is added that rejects - <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, - <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system calls with <constant>PROT_EXEC</constant> set and - <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system calls with <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs - that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making - use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes - harder for software exploits to change running code dynamically. - If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> - capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> - is implied. - </para></listitem> + executable at the same time, or to change existing memory mappings to become executable, or mapping shared + memory segments as executable are prohibited. Specifically, a system call filter is added that rejects + <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both + <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, + <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with + <constant>PROT_EXEC</constant> set and + <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with + <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs that generate program + code dynamically at runtime, such as JIT execution engines, or programs compiled making use of the code + "trampoline" feature of various C compilers. This option improves service security, as it makes harder for + software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and + partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. If running + in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting + <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied. </para></listitem> </varlistentry> <varlistentry> |