On Fri, Jul 24, 2015 at 10:36:45PM -0700, Andy Lutomirski wrote: > The modify_ldt syscall exposes a large attack surface and is > unnecessary for modern userspace. Make it optional.
Andy, you didn't respond whether you think it wouldn't be better to make it runtime-configurable instead. The goal here is to ensure distros ship with modify_ldt disabled by default. But if it means breaking compatibility with (rare) existing applications, I'm seeing a risk that they'll ship with it enabled instead, which would make the config option useless. The CONFIG_DEFAULT_MMAP_ADDR was a good example of successful deployment of a hardening measure that has been widely adopted despite its (low) risk of breakage in field because it was adjustable in field. That's why here I think we should do the same, and possibly even emit a warning once to report the first user of modify_ldt if that can help. What do you think ? Willy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
