Add MemoryDenyWriteExecute to the systemd service

MemoryDenyWriteExecute=true will prevent attempts to create memory mappings that are both writable and executable at the same time. This option improves service security, as it makes harder for software exploits to change running code dynamically.
author: Craig Andrews <candrews@integralblue.com> 2016-08-08 11:56:19 -0400
committer: dormando <dormando@rydia.net> 2016-08-11 14:46:10 -0700
commit: 902df5e5ff98533e85dd1766e471e7c1c45af5eb (patch)
tree: 05710bf43773e704f4a43a450bc20a41756d792f /scripts
parent: 6fee85996d5dceb269fac590d2d06a19996b8aee (diff)
download: memcached-902df5e5ff98533e85dd1766e471e7c1c45af5eb.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/scripts/memcached.service b/scripts/memcached.service
index 0076d84..a96445b 100644
--- a/scripts/memcached.service
+++ b/scripts/memcached.service
@@ -36,5 +36,9 @@ PrivateDevices=true
 # Required for dropping privileges and running as a different user
 CapabilityBoundingSet=CAP_SETGID CAP_SETUID
 
+# Attempts to create memory mappings that are writable and executable at the same time,
+# or to change existing memory mappings to become executable are prohibited.
+MemoryDenyWriteExecute=true
+
 [Install]
 WantedBy=multi-user.target
author	Craig Andrews <candrews@integralblue.com>	2016-08-08 11:56:19 -0400
committer	dormando <dormando@rydia.net>	2016-08-11 14:46:10 -0700
commit	902df5e5ff98533e85dd1766e471e7c1c45af5eb (patch)
tree	05710bf43773e704f4a43a450bc20a41756d792f /scripts
parent	6fee85996d5dceb269fac590d2d06a19996b8aee (diff)
download	memcached-902df5e5ff98533e85dd1766e471e7c1c45af5eb.tar.gz