Memory-Deny-Write-Execute is a W^X process control originally introduced by Joey Gouly. I'm the author of the PR_MDWE_NO_INHERIT flag. Signed-off-by: Florent Revest <revest@xxxxxxxxxxxx> --- Diff since v1: - Use semantic newlines - Document that PR_MDWE_NO_INHERIT requires PR_MDWE_REFUSE_EXEC_GAIN - Use "bit mask" instead of "bitmask" according to the style guide - Removed an empty comment line man2/prctl.2 | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/man2/prctl.2 b/man2/prctl.2 index d845b0905..83060edd9 100644 --- a/man2/prctl.2 +++ b/man2/prctl.2 @@ -2041,6 +2041,36 @@ the copy will be truncated. Return (as the function result) the full length of the auxiliary vector. \fIarg4\fP and \fIarg5\fP must be 0. +.TP +.BR PR_SET_MDWE " (since Linux 6.3)" +.\" commit b507808ebce23561d4ff8c2aa1fb949fe402bc61 +Set the calling process' Memory-Deny-Write-Execute protection mask. +Once protection bits are set, +they can not be changed. +.IR arg2 +must be a bit mask of: +.RS +.TP +.B PR_MDWE_REFUSE_EXEC_GAIN +New memory mapping protections can't be writable and executable. +Non-executable mappings can't become executable. +.TP +.B PR_MDWE_NO_INHERIT " (since Linux 6.6)" +.\" commit 2a87e5520554034e8c423479740f95bea4a086a0 +Do not propagate MDWE protection to child processes on +.BR fork (2). +Setting this bit requires setting +.B PR_MDWE_REFUSE_EXEC_GAIN +too. +.RE +.TP +.BR PR_GET_MDWE " (since Linux 6.3)" +.\" commit b507808ebce23561d4ff8c2aa1fb949fe402bc61 +Return (as the function result) the Memory-Deny-Write-Execute protection mask +of the calling process. +(See +.B PR_SET_MDWE +for information on the protection mask bits.) .SH RETURN VALUE On success, .BR PR_CAP_AMBIENT + PR_CAP_AMBIENT_IS_SET , -- 2.42.0.655.g421f12c284-goog
