Arch Linux

One of the libraries included by matterbridge has an ARM assembly code file that's included for x86_64 and causes the executable to have an executable stack due to the .note.GNU-stack marker being wrapped inside an ifdef for ARM so it's missing elsewhere and the stack gets marked executable. I've reported the bug upstream but the project has 2 commits from over a year ago.

https://github.com/Benau/go_rlottie/issues/1

The project the code originates from appears to have fixed the issue in 2019 (https://github.com/Samsung/rlottie/commit/7bcbea3a5038e054a464153c8ebdb2e22336226d) but go_rlottie copy-pasted it from somewhere else that it was copy-pasted or forked. Not great since they aren't shipping other important fixes and all the more reason to want a non-executable stack and other mitigations since there is C and C++ code in matterbridge not getting security fixes due to copy-pasting into various Go libraries and not maintaining it.

For now, it would be nice to fix this in the package by adding -Wl,-z,noexecstack to LDFLAGS:

export CGO_LDFLAGS="$LDFLAGS -Wl,-z,noexecstack"

You can check before and after using scanelf from pax-utils:

% scanelf -e /usr/bin/matterbridge
TYPE STK/REL/PTL FILE
ET_DYN RWX R-- RW- /usr/bin/matterbridge

% scanelf -e /usr/bin/matterbridge
TYPE STK/REL/PTL FILE
ET_DYN RW- R-- RW- /usr/bin/matterbridge

Once this is resolved, you can add back MemoryDenyWriteExecute=true to the service file. Separately from that you might as well also add ProcSubset=pid and ProtectProc=invisible.