On 2017-05-24, Theo Buehler <t...@math.ethz.ch> wrote: >> Now the mistery is how was I able to use ansible before 6.1 release >> without wxallowed on > > The semantics of wxallowed were made stricter during the 6.1 release > cycle. It was possible to run python on 6.0 without wxallowed (it would > be killed on violation), on 6.1 the kernel refuses to execute python if > it's not started from a wxallowed partition. > > More details here: > https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/faq/current.html?rev=1.699&content-type=text/html
Also note that this isn't for Python itself, but because of shared-library extensions (especially webkit-based) that some people might want to use with it. The enforcement works like this: an executable may be marked with an ELF section to say that it wants to be able to map pages as both writable+executable. If it's marked like that, execution is only allowed from a partition mounted with the wxallowed flag, even if your use of the program doesn't trigger w+x use.
