picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

man: update MemoryDenyWriteExecute description for executable stacks

Browse source 
Without going into details, mention that libraries are also covered by the
filters, and that executable stacks are a no no.

Closes #5970.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2017-05-30 16:43:48 -04:00
parent 0e3f51cf8d
commit 03c3c52040
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
man/systemd.exec.xml
View file

@ -1656,8 +1656,8 @@
<citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
<constant>PROT_EXEC</constant> set and
<citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
<constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs that generate program
code dynamically at runtime, such as JIT execution engines, or programs compiled making use of the code
<constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that
generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
"trampoline" feature of various C compilers. This option improves service security, as it makes harder for
software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and
partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. Note that