On Fri, Jan 12, 2018 at 01:18:06PM -0800, Andy Lutomirski wrote: > FWIW, if we take this approach, then either dropping the capability should > turn PTI back on or we need to deal with the corner case of PTI off and > capability not present. The latter is a bit awkward but not necessarily a > show stopper. I think that all we need to do is to update the ptrace rules > and maybe make PTI turn back on when we execve. At least there's no need to > muck around with LSM hooks.
That's my point as well, just the same principle as the "NEXT" prctl : only perform changes on execve(). At least we're sure to deal with something consistent and it's the right moment for deciding on _PAGE_NX. Willy
