04.09.2015 13:09, Chuck Ebbert пишет: > On Fri, 4 Sep 2015 00:28:04 +0300 > Stas Sergeev <s...@list.ru> wrote: > >> 03.09.2015 21:51, Austin S Hemmelgarn пишет: >>> There are servers out there that have this enabled and _never_ use it >>> at all, >> Unless I am mistaken, servers usually use special flavour of the >> distro (different from desktop install), where of course this will >> be disabled _compile time_. > Many (most?) distros use just one kernel for everything, because it's > just too much work to have a separate flavor for servers. But for example menuconfig promotes CONFIG_PREEMPT_NONE for server and CONFIG_PREEMPT for desktop. Also perhaps server would need an lts version rather than latest. I wonder if RHEL Server offers the generic desktop-suited kernel with vm86() enabled?
In any case, if there is some generic mechanism to selectively disable syscalls at run-time for server, then vm86() is of course a good candidate. I wonder how many other syscalls are currently run-time controlled? (those that are not marked as an "attack surface" and defaulted to Y; I suppose the "attack surface" is currently only vm86()) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
