NAME

syd-mdwe - Run a command under Memory-Deny-Write-Execute protections

SYNOPSIS

syd-mdwe [-hms] {command [args...]}

DESCRIPTION

syd-mdwe utility runs a command under Memory-Deny-Write-Execute (MDWE) protections. The protections can be applied using prctl(2) and seccomp(2), These protections are identical to what Syd applies by default.

OPTIONS

-h	Display help.
-m	Enable MDWE protections using prctl(2) PR_SET_MDWE (default: both).
-s	Enable MDWE protections using seccomp(2) (default: both).

COMPARISON TO PaX

Running pax-test once standalone and once under syd-mdwe on a 6.8 kernel we get the following differences:

PaX Testcase	standalone	mdwe
Executable anonymous mapping	Killed	Killed
Executable bss	Killed	Killed
Executable data	Killed	Killed
Executable heap	Killed	Killed
Executable stack	Killed	Killed
Executable shared library bss	Killed	Killed
Executable shared library data	Killed	Killed
Executable anonymous mapping (mprotect)	Vulnerable	Killed
Executable bss (mprotect)	Vulnerable	Killed
Executable data (mprotect)	Vulnerable	Killed
Executable heap (mprotect)	Vulnerable	Killed
Executable stack (mprotect)	Vulnerable	Killed
Executable shared library bss (mprotect)	Vulnerable	Killed
Executable shared library data (mprotect):	Vulnerable	Killed
Writable text segments	Vulnerable	Killed

The test was performed with paxtest-0.9.15:

PaXtest - Copyright(c) 2003-2016 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net>
Released under the GNU Public Licence version 2 or later
Mode: 1
Blackhat
Kernel: 
Linux syd 6.8.0-syd-13213-g70293240c5ce #9 SMP PREEMPT_DYNAMIC Mon Mar 25 04:40:47 CET 2024 x86_64 GNU/Linux

BUGS

This tool panics on most errors rather than handling them gracefully.

AUTHORS

Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Discuss in #sydbox on Libera Chat.