MemoryDenyWriteExecute setting
The property MemoryDenyWriteExecute is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: block creation or alteration of memory segments to become writable and executable as well
Why and when to use MemoryDenyWriteExecute
The setting MemoryDenyWriteExecute will block the creation or alteration of a memory segment to become writable and executable as well. By enabling this limitation, it will increase the bar software exploits to change running code dynamically.
Usage
[Service]
MemoryDenyWriteExecute=yes
InaccessiblePaths=/dev/shm
SystemCallFilter=~memfd_create
Caveats
To prevent circumvention of this setting, access to /dev/shm and the syscall memfd_create should be blocked as well.
Generic advice
For most common services this option can be implemented and will increase the security of a service. That is, if used together with InaccessiblePaths and SystemCallFilter.
Values
Systemd unit setting MemoryDenyWriteExecute expects a boolean (yes/no or true/false) or string value.
| Value | Intended action | Available since systemd version |
|---|---|---|
| no | normal functionality allowed - default | |
| yes | creation and alteration of memory segments to become writable and executable is not allowed |
Example to show the current value of MemoryDenyWriteExecute for the ssh service:
systemctl show --property=MemoryDenyWriteExecute ssh.serviceRelated hardening profiles
The systemd unit setting MemoryDenyWriteExecute is used in the following hardening profiles.
