On 10/18/2018 01:46 PM, Andy Lutomirski wrote: > Setting it to allow-all/none would let the operation always fail or > succeed which might be an improvement in terms of debugging. However it > is hard to judge what the correct behaviour should be. Should fail or > succeed.
Succeed. :) > But this is not the only loophole: There is ptrace interface which is > used by gdb (just checked) and also bypasses PKRU. So… Bypassing protection keys is not a big deal IMNHO. In places where a sane one is not readily available, I'm totally fine with just effectively disabling it (PKRU=0) for the length of time it isn't available.
