MemoryDenyWriteExecute setting
This article has last been updated at .
The property MemoryDenyWriteExecute is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: block creation or alteration of memory segments to become writable and executable as well
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use MemoryDenyWriteExecute
The setting MemoryDenyWriteExecute will block the creation or alteration of a memory segment to become writable and executable as well. By enabling this limitation, it will increase the bar software exploits to change running code dynamically.
Usage
[Service]
MemoryDenyWriteExecute=yes
InaccessiblePaths=/dev/shm
SystemCallFilter=~memfd_create
Caveats
To prevent circumvention of this setting, access to /dev/shm and the syscall memfd_create should be blocked as well.
Generic advice
For most common services this option can be implemented and will increase the security of a service. That is, if used together with InaccessiblePaths and SystemCallFilter.
Values
Systemd unit setting MemoryDenyWriteExecute expects a boolean (yes/no or true/false) or string value.
| Value | Intended action | Available since systemd version |
|---|---|---|
| no | normal functionality allowed - default | |
| yes | creation and alteration of memory segments to become writable and executable is not allowed |
Example to show the current value of MemoryDenyWriteExecute for the ssh service:
systemctl show --property=MemoryDenyWriteExecute ssh.serviceRelated hardening profiles
The systemd unit setting MemoryDenyWriteExecute is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
