On Mon, Jan 08, 2018 at 05:22:41PM +0100, Borislav Petkov wrote: > On Sun, Jan 07, 2018 at 11:10:38PM +0100, Willy Tarreau wrote: > > I just want to be clear that the big drop some of us are facing is > > not an option *at all* for certain processes in certain environments > > and that we'll either continue to run with pti=off or with pti=on + a > > finer grained setting ASAP. > > And that's all I'm saying: do pti=off in that case. The finer-grained > "solution" is just silly.
I disagree because I want that, as much as possible, occasional unprivileged local users can't exploit it. pti=off gives them full access. The finer-grained solution ensures that only a few processes share the same risk as the kernel as they work together to deliver the service. And that's what I've implemented in a patch series I sent in another thread :-) https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1580131.html Cheers, Willy
