SYD-MDWE(1) General Commands Manual SYD-MDWE(1) NAME syd-mdwe - Run a command under Memory-Deny-Write-Execute protections SYNOPSIS syd-mdwe [-hms] {command [args...]} DESCRIPTION syd-mdwe utility runs a command under Memory-Deny-Write-Execute (MDWE) protections. The protections can be applied using prctl(2) and seccomp(2), These protections are identical to what Syd applies by default. OPTIONS -h Display help. -m Enable MDWE protections using prctl(2) PR_SET_MDWE (default: both). -s Enable MDWE protections using seccomp(2) (default: both). COMPARISON TO PaX Running pax-test once standalone and once under syd-mdwe on a 6.8 kernel we get the following differences: +------------------+------------+--------+ |PaX Testcase | standalone | mdwe | +------------------+------------+--------+ |Executable | Killed | Killed | |anonymous mapping | | | +------------------+------------+--------+ |Executable bss | Killed | Killed | +------------------+------------+--------+ |Executable data | Killed | Killed | +------------------+------------+--------+ |Executable heap | Killed | Killed | +------------------+------------+--------+ |Executable stack | Killed | Killed | +------------------+------------+--------+ |Executable shared | Killed | Killed | |library bss | | | +------------------+------------+--------+ |Executable shared | Killed | Killed | |library data | | | +------------------+------------+--------+ |Executable | Vulnerable | Killed | |anonymous mapping | | | |(mprotect) | | | +------------------+------------+--------+ |Executable bss | Vulnerable | Killed | |(mprotect) | | | +------------------+------------+--------+ |Executable data | Vulnerable | Killed | |(mprotect) | | | +------------------+------------+--------+ |Executable heap | Vulnerable | Killed | |(mprotect) | | | +------------------+------------+--------+ |Executable stack | Vulnerable | Killed | |(mprotect) | | | +------------------+------------+--------+ |Executable shared | Vulnerable | Killed | |library bss | | | |(mprotect) | | | +------------------+------------+--------+ |Executable shared | Vulnerable | Killed | |library data | | | |(mprotect): | | | +------------------+------------+--------+ |Writable text | Vulnerable | Killed | |segments | | | +------------------+------------+--------+ The test was performed with paxtest-0.9.15: PaXtest - Copyright(c) 2003-2016 by Peter Busser and Brad Spengler Released under the GNU Public Licence version 2 or later Mode: 1 Blackhat Kernel: Linux syd 6.8.0-syd-13213-g70293240c5ce #9 SMP PREEMPT_DYNAMIC Mon Mar 25 04:40:47 CET 2024 x86_64 GNU/Linux BUGS This tool panics on most errors rather than handling them gracefully. SEE ALSO syd(1), syd(2), syd(5), prctl(2), seccomp(2) syd homepage: https://sydbox.exherbolinux.org/ AUTHORS Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Discuss in #sydbox on Libera Chat. 2025-02-14 SYD-MDWE(1)