The .rodata segment


Readonly strings and pointers were stored in the .text segment

Gave them PROT_READ | PROT_EXEC

Meaning const data could be executed (could be code an attacker could use)

But this is ELF, not a.out... so create a new segment called .rodata

These objects are now PROT_READ; they lose PROT_EXEC

We could call this  !X

Basically this is all part of making the base system address space
components have the minimal set of permissions





No real overhead