diff --git a/crates/runtime/src/mpk/enabled.rs b/crates/runtime/src/mpk/enabled.rs
index 9c877423332b..fe1bdf858223 100644
--- a/crates/runtime/src/mpk/enabled.rs
+++ b/crates/runtime/src/mpk/enabled.rs
@@ -78,7 +78,7 @@ impl ProtectionKey {
     pub fn protect(&self, region: &mut [u8]) -> Result<()> {
         let addr = region.as_mut_ptr() as usize;
         let len = region.len();
-        let prot = sys::PROT_READ | sys::PROT_WRITE;
+        let prot = sys::PROT_NONE;
         sys::pkey_mprotect(addr, len, prot, self.id).with_context(|| {
             format!(
                 "failed to mark region with pkey (addr = {addr:#x}, len = {len}, prot = {prot:#b})"
@@ -169,7 +169,7 @@ mod tests {
         assert!(result.is_err());
         assert_eq!(
             result.unwrap_err().to_string(),
-            "failed to mark region with pkey (addr = 0x1, len = 1, prot = 0b11)"
+            "failed to mark region with pkey (addr = 0x1, len = 1, prot = 0b0)"
         );
     }
 
diff --git a/crates/runtime/src/mpk/sys.rs b/crates/runtime/src/mpk/sys.rs
index fe68decce8c2..671ea4eb9a25 100644
--- a/crates/runtime/src/mpk/sys.rs
+++ b/crates/runtime/src/mpk/sys.rs
@@ -13,13 +13,10 @@ use crate::page_size;
 use anyhow::Result;
 use std::io::Error;
 
-/// Protection mask allowing reads of pkey-protected memory (see `prot` in
-/// [`pkey_mprotect`]).
-pub const PROT_READ: u32 = libc::PROT_READ as u32; // == 0b0001.
-
-/// Protection mask allowing writes of pkey-protected memory (see `prot` in
-/// [`pkey_mprotect`]).
-pub const PROT_WRITE: u32 = libc::PROT_WRITE as u32; // == 0b0010;
+/// Protection mask disallowing reads and writes of pkey-protected memory (see
+/// `prot` in [`pkey_mprotect`]); in Wasmtime we expect all MPK-protected memory
+/// to start as `PROT_NONE`.
+pub const PROT_NONE: u32 = libc::PROT_NONE as u32; // == 0b0000;
 
 /// Allocate a new protection key in the Linux kernel ([docs]); returns the
 /// key ID.