From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-alpha@sourceware.org
Subject: [PATCH] Reword description of SXID_* tunable properties
Date: Thu, 22 Oct 2020 11:48:18 +0530 [thread overview]
Message-ID: <20201022061818.74951-1-siddhesh@sourceware.org> (raw)
The SXID_* tunable properties only influence processes that are
AT_SECURE, so make that a bit more explicit in the documentation and
comment.
Revisiting the code after a few years I managed to confuse myself, so
I imagine there could be others who may have incorrectly assumed like
I did that the SXID_ERASE tunables are not inherited by children of
non-AT_SECURE processes.
---
elf/dl-tunables.list | 11 ++++++-----
manual/README.tunables | 11 ++++++-----
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index 35634ef24d..e1d8225128 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -21,12 +21,13 @@
# minval: Optional minimum acceptable value
# maxval: Optional maximum acceptable value
# env_alias: An alias environment variable
-# security_level: Specify security level of the tunable. Valid values are:
+# security_level: Specify security level of the tunable for AT_SECURE binaries.
+# Valid values are:
#
-# SXID_ERASE: (default) Don't read for AT_SECURE binaries and
-# removed so that child processes can't read it.
-# SXID_IGNORE: Don't read for AT_SECURE binaries, but retained for
-# non-AT_SECURE subprocesses.
+# SXID_ERASE: (default) Do not read and do not pass on to
+# child processes.
+# SXID_IGNORE: Do not read, but retain for non-AT_SECURE
+# subprocesses.
# NONE: Read all the time.
glibc {
diff --git a/manual/README.tunables b/manual/README.tunables
index fff6c2a87e..d8c768abcc 100644
--- a/manual/README.tunables
+++ b/manual/README.tunables
@@ -59,12 +59,13 @@ The list of allowed attributes are:
- env_alias: An alias environment variable
-- security_level: Specify security level of the tunable. Valid values:
+- security_level: Specify security level of the tunable for AT_SECURE
+ binaries. Valid values are:
- SXID_ERASE: (default) Don't read for AT_SECURE binaries and
- removed so that child processes can't read it.
- SXID_IGNORE: Don't read for AT_SECURE binaries, but retained for
- non-AT_SECURE subprocesses.
+ SXID_ERASE: (default) Do not read and do not pass on to
+ child processes.
+ SXID_IGNORE: Do not read, but retain for non-AT_SECURE
+ child processes.
NONE: Read all the time.
2. Use TUNABLE_GET/TUNABLE_SET/TUNABLE_SET_WITH_BOUNDS to get and set tunables.
--
2.26.2
next reply other threads:[~2020-10-22 6:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-22 6:18 Siddhesh Poyarekar [this message]
2020-10-22 7:59 ` Florian Weimer
2020-10-22 8:22 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201022061818.74951-1-siddhesh@sourceware.org \
--to=siddhesh@sourceware.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).