MemoryDenyWriteExecute setting
This systemd unit setting was added since systemd 231.
Purpose: block creation or alteration of memory segments to become writable and executable as well
Why and when to use MemoryDenyWriteExecute
The setting MemoryDenyWriteExecute will block the creation or alteration of a memory segment to become writable and executable as well. By enabling this limitation, it will increase the bar software exploits to change running code dynamically.
Usage
[Service]
MemoryDenyWriteExecute=yes
InaccessiblePaths=/dev/shm
SystemCallFilter=~memfd_create
Caveats
To prevent circumvention of this setting, access to /dev/shm and the syscall memfd_create should be blocked as well.
Generic advice
For most common services this option can be implemented and will increase the security of a service. That is, if used together with InaccessiblePaths and SystemCallFilter.
Values
- no: normal functionality allowed - default
- yes: creation and alteration of memory segments to become writable and executable is not allowed
Example to show the current value of MemoryDenyWriteExecute for the dmesg service:
systemctl show --property=MemoryDenyWriteExecute dmesg.service