man: update MemoryDenyWriteExecute description for executable stacks

Without going into details, mention that libraries are also covered by the filters, and that executable stacks are a no no. Closes #5970.
2025-03-08 20:58:20 +03:00 · 2017-05-30 16:43:48 -04:00 · 2017-05-30 16:43:48 -04:00 · 03c3c52040
commit 03c3c52040
parent 0e3f51cf8d
1 changed files with 2 additions and 2 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -1656,8 +1656,8 @@
        <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
        <constant>PROT_EXEC</constant> set and
        <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
-        <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs that generate program
-        code dynamically at runtime, such as JIT execution engines, or programs compiled making use of the code
+        <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that
+        generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
        "trampoline" feature of various C compilers. This option improves service security, as it makes harder for
        software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and
        partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. Note that