diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 7545c75d77..18cfe6b90a 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1869,8 +1869,9 @@ CapabilityBoundingSet=~CAP_B CAP_C
memory segments as executable are prohibited. Specifically, a system call filter is added that rejects
mmap2 system calls with both
PROT_EXEC and PROT_WRITE set,
- mprotect2 system calls with
- PROT_EXEC set and
+ mprotect2
+ or pkey_mprotect2
+ system calls with PROT_EXEC set and
shmat2 system calls with
SHM_EXEC set. Note that this option is incompatible with programs and libraries that
generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 420edf8299..f8f757650b 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1440,6 +1440,12 @@ int seccomp_memory_deny_write_execute(void) {
if (r < 0)
continue;
+ r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(pkey_mprotect),
+ 1,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
+ if (r < 0)
+ continue;
+
if (shmat_syscall != 0) {
r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat),
1,