On Fri, Jul 24, 2015 at 10:36:45PM -0700, Andy Lutomirski wrote:
> The modify_ldt syscall exposes a large attack surface and is
> unnecessary for modern userspace.  Make it optional.

Andy, you didn't respond whether you think it wouldn't be better to make
it runtime-configurable instead. The goal here is to ensure distros
ship with modify_ldt disabled by default. But if it means breaking
compatibility with (rare) existing applications, I'm seeing a risk
that they'll ship with it enabled instead, which would make the config
option useless. The CONFIG_DEFAULT_MMAP_ADDR was a good example of
successful deployment of a hardening measure that has been widely
adopted despite its (low) risk of breakage in field because it was
adjustable in field.

That's why here I think we should do the same, and possibly even
emit a warning once to report the first user of modify_ldt if that
can help.

What do you think ?

Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to