From: Topi Miettinen Date: Fri, 18 Jan 2019 21:32:28 +0000 (+0200) Subject: Document weaknesses with MDWE and suggest hardening X-Git-Tag: v241-rc1~33 X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=commitdiff_plain;h=10d44e72ecab79afe6084ef318c71d7f2e471c6b Document weaknesses with MDWE and suggest hardening Closes #11473 --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index bd0091e3f1f..e8a3f77d54c 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1279,13 +1279,19 @@ RestrictNamespaces=~cgroup net SHM_EXEC set. Note that this option is incompatible with programs and libraries that generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code "trampoline" feature of various C compilers. This option improves service security, as it makes harder for - software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and - partially on x86. Specifically, the shmat() protection is not available on x86. Note that - on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for - services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is - recommended to combine this option with SystemCallArchitectures=native or similar. If - running in user mode, or in system mode, but without the CAP_SYS_ADMIN capability - (e.g. setting User=), NoNewPrivileges=yes is implied. + software exploits to change running code dynamically. However, the protection can be circumvented, if + the service can write to a filesystem, which is not mounted with noexec (such as + /dev/shm), or it can use memfd_create(). This can be + prevented by making such file systems inaccessible to the service + (e.g. InaccessiblePaths=/dev/shm) and installing further system call filters + (SystemCallFilter=~memfd_create). Note that this feature is fully available on + x86-64, and partially on x86. Specifically, the shmat() protection is not + available on x86. Note that on systems supporting multiple ABIs (such as x86/x86-64) it is + recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the + restrictions of this option. Specifically, it is recommended to combine this option with + SystemCallArchitectures=native or similar. If running in user mode, or in system + mode, but without the CAP_SYS_ADMIN capability (e.g. setting + User=), NoNewPrivileges=yes is implied.