1. 6

Relevant excerpt from the changes of the 231 version:

A new service setting MemoryDenyWriteExecute= has been added, taking a boolean value. If turned on, a service may no longer create memory mappings that are writable and executable at the same time. This enhances security for services where this is enabled as it becomesharder to dynamically write and then execute memory in exploitedservice processes. This option has been enabled for all of systemd’s own long-running services.


  2. 2

    Any thoughts about this ? I was under the impression that only kernel space could enforce what a program can or cannot do…

    1. 2

      I thought systemd had replaced the Linux kernel these days?

      1. 2

        The Linux kernel allows configuration of a lot of its access-control and resource-management features via the cgroups subsystem, which this is hooking into.

        1. 1

          I see, looks interesting!

        2. [Comment removed by author]

          1. 2

            <sarcasm>Knowing Linux’s OOM manager, it probably kills an entirely unrelated process.</sarcasm>