On Fri, Jul 24, 2015 at 11:23 PM, Willy Tarreau <w...@1wt.eu> wrote: > On Fri, Jul 24, 2015 at 10:36:45PM -0700, Andy Lutomirski wrote: >> The modify_ldt syscall exposes a large attack surface and is >> unnecessary for modern userspace. Make it optional. > > Andy, you didn't respond whether you think it wouldn't be better to make > it runtime-configurable instead. The goal here is to ensure distros > ship with modify_ldt disabled by default. But if it means breaking > compatibility with (rare) existing applications, I'm seeing a risk > that they'll ship with it enabled instead, which would make the config > option useless. The CONFIG_DEFAULT_MMAP_ADDR was a good example of > successful deployment of a hardening measure that has been widely > adopted despite its (low) risk of breakage in field because it was > adjustable in field.
I'm all for it, but I think it should be hard-disablable in config, too, for the -tiny people. If we add a runtime disable, let's do a separate patch, and you and Kees can fight over how general it should be. > > That's why here I think we should do the same, and possibly even > emit a warning once to report the first user of modify_ldt if that > can help. > > What do you think ? I'm generally in favor. On the other hand, the current series is already written, might even be compatible with Xen, and patch 1 at least fixes a real bug. Maybe several real bugs. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
