|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
From adc6a92ae92647c9b098ffb5ff257c8ab685411e Mon Sep 17 00:00:00 2001
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
Date: Tue, 30 May 2017 16:43:48 -0400
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
Subject: [PATCH] man: update MemoryDenyWriteExecute description for executable
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
stacks
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
Without going into details, mention that libraries are also covered by the
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
filters, and that executable stacks are a no no.
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
Closes #5970.
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
(cherry picked from commit 03c3c520402db803cffd5abc7ea0c55fba95fbb3)
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
---
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
man/systemd.exec.xml | 4 ++--
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
index fb64cd6d8e..9a9387b798 100644
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
--- a/man/systemd.exec.xml
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
+++ b/man/systemd.exec.xml
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
@@ -1655,8 +1655,8 @@
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
<citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
<constant>PROT_EXEC</constant> set and
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
<citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
- <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs that generate program
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
- code dynamically at runtime, such as JIT execution engines, or programs compiled making use of the code
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
+ <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
+ generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
"trampoline" feature of various C compilers. This option improves service security, as it makes harder for
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and
|
|
Zbigniew Jędrzejewski-Szmek |
f4a676 |
partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. Note that
|