Using test software from pkeys(7) manpage, modified to use PROT_WRITE | PROT_EXEC, created systemd unit that tries to use memory protection, and started it as a systemd unit.
Thus calling:
status = pkey_mprotect(buffer, getpagesize(),
PROT_READ | PROT_WRITE | PROT_EXEC, pkey);
if (status == -1)
errExit("pkey_mprotect");
fprintf(stderr, "about to read buffer again...\n");
From journal:
a.out[6763]: buffer contains: 69
a.out[6763]: about to read buffer again...
Is bad, since it is expected that MemoryDenyWriteExecute shall not allow the pkey_mprotect call, and one should not see the "about to read buffer again..." message.
Upgrading to:
$ dpkg-query -W systemd
systemd 234-2ubuntu12.3
Starting test.unit again, and journal now has:
a.out[17978]: buffer contains: 69
a.out[17978]: pkey_mprotect: Operation not permitted
systemd[1]: test.service: Main process exited, code=exited, status=1/FAILURE
Using test software from pkeys(7) manpage, modified to use PROT_WRITE | PROT_EXEC, created systemd unit that tries to use memory protection, and started it as a systemd unit.
Thus calling: buffer, getpagesize(), "pkey_mprotect" );
status = pkey_mprotect(
PROT_READ | PROT_WRITE | PROT_EXEC, pkey);
if (status == -1)
errExit(
fprintf(stderr, "about to read buffer again...\n");
$ systemctl cat test.service system/ test.service Execute= true /home/ubuntu/ a.out
# /etc/systemd/
[Service]
MemoryDenyWrite
ExecStart=
$ dpkg-query -W systemd
systemd 234-2ubuntu12.1
From journal:
a.out[6763]: buffer contains: 69
a.out[6763]: about to read buffer again...
Is bad, since it is expected that MemoryDenyWrite Execute shall not allow the pkey_mprotect call, and one should not see the "about to read buffer again..." message.
Upgrading to:
$ dpkg-query -W systemd
systemd 234-2ubuntu12.3
Starting test.unit again, and journal now has:
a.out[17978]: buffer contains: 69
a.out[17978]: pkey_mprotect: Operation not permitted
systemd[1]: test.service: Main process exited, code=exited, status=1/FAILURE
Which is awesome =)