MemoryDenyWriteExecute setting

This systemd unit setting was added since systemd 231.

Purpose: block creation or alteration of memory segments to become writable and executable as well

Why and when to use MemoryDenyWriteExecute

The setting MemoryDenyWriteExecute will block the creation or alteration of a memory segment to become writable and executable as well. By enabling this limitation, it will increase the bar software exploits to change running code dynamically.

Usage

[Service]
MemoryDenyWriteExecute=yes
InaccessiblePaths=/dev/shm
SystemCallFilter=~memfd_create

Caveats

To prevent circumvention of this setting, access to /dev/shm and the syscall memfd_create should be blocked as well.

Generic advice

For most common services this option can be implemented and will increase the security of a service. That is, if used together with InaccessiblePaths and SystemCallFilter.

Values

no: normal functionality allowed - default
yes: creation and alteration of memory segments to become writable and executable is not allowed

Example to show the current value of MemoryDenyWriteExecute for the dmesg service:

systemctl show --property=MemoryDenyWriteExecute dmesg.service

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!