diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2022-11-06 21:12:45 +0200 |
|---|---|---|
| committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2023-03-13 18:44:36 +0000 |
| commit | 7a114ed4b39e9670f6a511f3eecb6fd58274d27b (patch) | |
| tree | 72914d8845216087ad2983e13ce036c0518ba205 /man/systemd.exec.xml | |
| parent | cbcdc582f3b219818728e81ccfc443790fafbdff (diff) | |
| download | systemd-7a114ed4b39e9670f6a511f3eecb6fd58274d27b.tar.gz | |
execute: use prctl(PR_SET_MDWE) for MemoryDenyWriteExecute=yes
On some ARM platforms, the dynamic linker could use PROT_BTI memory protection
flag with `mprotect(..., PROT_BTI | PROT_EXEC)` to enable additional memory
protection for executable pages. But `MemoryDenyWriteExecute=yes` blocks this
with seccomp filter denying all `mprotect(..., x | PROT_EXEC)`.
Newly preferred method is to use prctl(PR_SET_MDWE) on supported kernels. Then
in-kernel implementation can allow PROT_BTI as necessary, without weakening
MDWE. In-kernel version may also be extended to more sophisticated protections
in the future.
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 795e2f0671..653aa0d792 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2080,9 +2080,11 @@ RestrictNamespaces=~cgroup net</programlisting> <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and executable at the same time, or to change existing memory mappings to become executable, or mapping shared - memory segments as executable, are prohibited. Specifically, a system call filter is added that rejects - <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both - <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, + memory segments as executable, are prohibited. Specifically, a system call filter is added (or + preferably, an equivalent kernel check is enabled with + <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>) that + rejects <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> + system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set, <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> or <citerefentry><refentrytitle>pkey_mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with <constant>PROT_EXEC</constant> set and |