For security reasons I’d like to enable systemd MemoryDenyWriteExecute flag for Xorg and other processes. However, NVIDIA GL libraries unfortunately create memory mappings which are both writable and executable at the same time, which prevent the flag use:
$ cat /proc/`pidof glxgears`/maps | grep rwx 7fd72ad52000-7fd72ad72000 rwxp 019fe000 08:11 795228 /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.352.79 7fd72d236000-7fd72d269000 rwxp 000be000 08:11 924758 /usr/lib/x86_64-linux-gnu/nvidia/current/libGL.so.352.79 # cat /proc/`pidof Xorg`/maps | grep rwx 7f2b6400a000-7f2b6402a000 rwxp 019fe000 08:11 795228 /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.352.79 7f2b65c4e000-7f2b65c81000 rwxp 009ab000 08:11 924731 /usr/lib/nvidia/current/libglx.so.352.79
Typically such mappings are only needed for self-modifying code or JIT dynamic code generators. I wouldn’t expect GL libraries to need to use those tricks, perhaps this is not intentional?
I’m using drivers from Debian unstable.