Re: [PATCH v3 10/10] x86-64: Add CONFIG_UNSAFE_VSYSCALLS to feature-removal-schedule
From: Valdis . Kletnieks
Date: Wed Jun 01 2011 - 13:38:10 EST
On Tue, 31 May 2011 09:16:04 EDT, Andy Lutomirski said:
> +What: CONFIG_UNSAFE_VSYSCALLS (x86_64)
Wow. I went nuts trying to find where this was because I couldn't find it in
Linus's tree I pulled a little while ago, before I realized you added it in patch 8
and deprecated it in patch 10.
Speaking of which:
+ On a system with recent enough glibc (probably 2.14 or
+ newer) and no static binaries, you can say N without a
+ performance penalty to improve security
So I checked my laptop (Fedora 16 Rawhide), and found a bunch of static binaries. The ones
that look like people may care:
# file /sbin/* | grep statically
/sbin/grub: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, stripped
/sbin/insmod.static: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, stripped
/sbin/ldconfig: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, stripped
/sbin/sln: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, stripped
Might be a challenge to get rid of them though. Unless we don't care anymore
about "use a statically linked ldconfig to fix a corrupted ls.so.cache" and
"reboot from a rescue disk" the only choice. I think the insmod.static ends up
getting used in initrds to get the root filesystem mounted, we may care about
that as well.. ;)
Attachment:
pgp00000.pgp
Description: PGP signature