On Fri, Jul 24, 2015 at 10:36:45PM -0700, Andy Lutomirski wrote: > The modify_ldt syscall exposes a large attack surface and is > unnecessary for modern userspace. Make it optional.
Andy, you didn't respond whether you think it wouldn't be better to make it runtime-configurable instead. The goal here is to ensure distros ship with modify_ldt disabled by default. But if it means breaking compatibility with (rare) existing applications, I'm seeing a risk that they'll ship with it enabled instead, which would make the config option useless. The CONFIG_DEFAULT_MMAP_ADDR was a good example of successful deployment of a hardening measure that has been widely adopted despite its (low) risk of breakage in field because it was adjustable in field. That's why here I think we should do the same, and possibly even emit a warning once to report the first user of modify_ldt if that can help. What do you think ? Willy _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
