.\" Generated by scdoc 1.11.3 .\" Complete documentation for this program is not available as a GNU info page .ie \n(.g .ds Aq \(aq .el .ds Aq ' .nh .ad l .\" Begin generated content: .TH "SYD-MDWE" "1" "2025-02-14" .PP .SH NAME .PP syd-mdwe - Run a command under Memory-Deny-Write-Execute protections .PP .SH SYNOPSIS .PP \fBsyd-mdwe\fR \fI[-hms]\fR \fI{command [args.\&.\&.\&]}\fR .PP .SH DESCRIPTION .PP \fBsyd-mdwe\fR utility runs a command under Memory-Deny-Write-Execute (MDWE) protections.\& The protections can be applied using \fIprctl\fR(2) and \fIseccomp\fR(2), These protections are identical to what Syd applies by default.\& .PP .SH OPTIONS .PP .TS l lx l lx l lx. T{ \fB-h\fR T} T{ Display help.\& T} T{ \fB-m\fR T} T{ Enable MDWE protections using \fIprctl\fR(2) PR_SET_MDWE (default: both).\& T} T{ \fB-s\fR T} T{ Enable MDWE protections using \fIseccomp\fR(2) (default: both).\& T} .TE .sp 1 .SH COMPARISON TO PaX .PP Running pax-test once standalone and once under syd-mdwe on a 6.\&8 kernel we get the following differences: .PP .TS allbox;l c c l c c l c c l c c l c c l c c l c c l c c l c c l c c l c c l c c l c c l c c l c c l c c. T{ \fBPaX Testcase\fR T} T{ \fBstandalone\fR T} T{ \fBmdwe\fR T} T{ Executable anonymous mapping T} T{ Killed T} T{ Killed T} T{ Executable bss T} T{ Killed T} T{ Killed T} T{ Executable data T} T{ Killed T} T{ Killed T} T{ Executable heap T} T{ Killed T} T{ Killed T} T{ Executable stack T} T{ Killed T} T{ Killed T} T{ Executable shared library bss T} T{ Killed T} T{ Killed T} T{ Executable shared library data T} T{ Killed T} T{ Killed T} T{ Executable anonymous mapping (mprotect) T} T{ Vulnerable T} T{ Killed T} T{ Executable bss (mprotect) T} T{ Vulnerable T} T{ Killed T} T{ Executable data (mprotect) T} T{ Vulnerable T} T{ Killed T} T{ Executable heap (mprotect) T} T{ Vulnerable T} T{ Killed T} T{ Executable stack (mprotect) T} T{ Vulnerable T} T{ Killed T} T{ Executable shared library bss (mprotect) T} T{ Vulnerable T} T{ Killed T} T{ Executable shared library data (mprotect): T} T{ Vulnerable T} T{ Killed T} T{ Writable text segments T} T{ Vulnerable T} T{ Killed T} .TE .sp 1 The test was performed with paxtest-0.\&9.\&15: .PP .nf .RS 4 PaXtest - Copyright(c) 2003-2016 by Peter Busser and Brad Spengler Released under the GNU Public Licence version 2 or later Mode: 1 Blackhat Kernel: Linux syd 6\&.8\&.0-syd-13213-g70293240c5ce #9 SMP PREEMPT_DYNAMIC Mon Mar 25 04:40:47 CET 2024 x86_64 GNU/Linux .fi .RE .PP .SH BUGS .PP This tool panics on most errors rather than handling them gracefully.\& .PP .SH SEE ALSO .PP \fIsyd\fR(1), \fIsyd\fR(2), \fIsyd\fR(5), \fIprctl\fR(2), \fIseccomp\fR(2) .PP \fBsyd\fR homepage: https://sydbox.\&exherbolinux.\&org/ .PP .SH AUTHORS .PP Maintained by Ali Polatel.\& Up-to-date sources can be found at https://gitlab.\&exherbo.\&org/sydbox/sydbox.\&git and bugs/patches can be submitted to https://gitlab.\&exherbo.\&org/groups/sydbox/-/issues.\& Discuss in #sydbox on Libera Chat.\&