On Tue, Oct 03, 2023 at 05:50:10PM +0200, Florent Revest wrote: > Memory-Deny-Write-Execute is a W^X process control originally introduced > by Joey Gouly. I'm the author of the PR_MDWE_NO_INHERIT flag. > > Signed-off-by: Florent Revest <revest@xxxxxxxxxxxx> > --- > man2/prctl.2 | 27 +++++++++++++++++++++++++++ > 1 file changed, 27 insertions(+) > > diff --git a/man2/prctl.2 b/man2/prctl.2 > index d845b0905..67e6e2ff0 100644 > --- a/man2/prctl.2 > +++ b/man2/prctl.2 > @@ -2041,6 +2041,33 @@ the copy will be truncated. > Return (as the function result) > the full length of the auxiliary vector. > \fIarg4\fP and \fIarg5\fP must be 0. > +.TP > +.BR PR_SET_MDWE " (since Linux 6.3)" > +.\" commit b507808ebce23561d4ff8c2aa1fb949fe402bc61 > +Set the process' Memory-Deny-Write-Execute protection mask. > +.IR arg2 > +must be a bitmask of: > +.RS > +.\" > +.TP > +.B PR_MDWE_REFUSE_EXEC_GAIN > +New memory mapping protections can't be writable and executable. Non-executable > +mappings can't become executable. > +.TP > +.B PR_MDWE_NO_INHERIT " (since Linux 6.6)" > +.\" commit 2a87e5520554034e8c423479740f95bea4a086a0 > +Do not propagate MDWE protection to child processes on Should this mention that PR_MDWE_NO_INHERIT requires PR_MDWE_REFUSE_EXEC_GAIN (unless I forgot how this was supposed to work). -- Catalin
