systemd introduces memory protection


ID: 526
PHID: PHID-TASK-6p2fdwuse2jt44uzsgcx
Author: HulaHoop
Status at Migration Time: open
Priority at Migration Time: Normal


A great new security feature comes to systemd. Will be good to have for Whonix daemons:

Systemd 231 will allow the MemoryLimit and TasksMax and related unit settings to be specified as a percentage, support for the “memory” cgroup controller on cgroupsv2, a new MemoryDenyWriteExecute (optional) setting to prevent a service from creating memory mappings that are writable and executable at the same time (great for security!), systemd-resolved improvements, various other network-related systemd additions, support for VERSION_CODENAME in the os-release file, and many other changes.

Patrick said:
Setting MemoryLimit, TasksMax and maybe other related settings might be useful for some services such as sdwdate. More of a reliability improvement in case the service has a resource exhaustion bug. It cannot prevent local DOS because kernel / systemd does not provide IO limiting as found out during constrained system resources program starter wrapper development.