From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: Florian Weimer <fw@deneb.enyo.de>,
Adhemerval Zanella via Libc-alpha <libc-alpha@sourceware.org>
Subject: Re: [PATCH 0/3] x86: Add --enable-cet=permissive
Date: Wed, 29 Apr 2020 18:14:37 -0300 [thread overview]
Message-ID: <616cfb77-3aa3-fcbb-dacf-a0abbec9393e@linaro.org> (raw)
In-Reply-To: <87ees6ggvk.fsf@mid.deneb.enyo.de>
On 29/04/2020 17:46, Florian Weimer wrote:
> * Adhemerval Zanella via Libc-alpha:
>
>> On 28/04/2020 18:52, H.J. Lu via Libc-alpha wrote:
>>> When CET is enabled, it is an error to dlopen a non CET enabled shared
>>> library in CET enabled application. It may be desirable to make CET
>>> permissive, that is disable CET when dlopening a non CET enabled shared
>>> library. With the new --enable-cet=permissive configure option, CET is
>>> disabled when dlopening a non CET enabled shared library.
>>
>> Does not CET already provide a tunable to make it permissive? If the idea
>> is to enable as de-facto for a distro bootstrap, why not make it default
>> then?
>
> We currently do not have a way to set a tunable for SUID binaries.
>
> This means that it would be necessary to disable CET at the kernel or
> hypervisor level if the system depends on pre-CET NSS or PAM modules
> for its operation (or something else which is ultimately
> dlopen-based).
Doesn't disable CET on some modules defeat the very security effort? If so,
why should it be a build option on glibc?
next prev parent reply other threads:[~2020-04-29 21:14 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 21:52 H.J. Lu
2020-04-28 21:52 ` [PATCH 1/3] CET: Rename CET_MAX to CET_CONTROL_MASK [BZ #25887] H.J. Lu
2020-05-16 16:37 ` PING: " H.J. Lu
2020-05-16 17:27 ` Florian Weimer
2020-05-16 23:44 ` [PATCH] x86: Move CET control to _dl_x86_feature_control " H.J. Lu
2020-05-18 7:19 ` Florian Weimer
2020-05-18 12:26 ` V2 " H.J. Lu
2020-05-18 12:36 ` Florian Weimer
2020-04-28 21:52 ` [PATCH 2/3] rtld: Get architecture specific initializer in rtld_global H.J. Lu
2020-05-16 16:38 ` PING: " H.J. Lu
2020-05-16 17:51 ` Florian Weimer
2020-05-16 18:01 ` H.J. Lu
2020-05-16 18:07 ` Florian Weimer
2020-05-16 18:24 ` V2 [PATCH] " H.J. Lu
2020-04-28 21:52 ` [PATCH 3/3] x86: Add --enable-cet=permissive H.J. Lu
2020-04-29 17:19 ` [PATCH 0/3] " Adhemerval Zanella
2020-04-29 20:29 ` H.J. Lu
2020-04-29 20:46 ` Florian Weimer
2020-04-29 21:14 ` Adhemerval Zanella [this message]
2020-05-18 13:50 ` V2 [PATCH] " H.J. Lu
2020-05-18 14:43 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=616cfb77-3aa3-fcbb-dacf-a0abbec9393e@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=fw@deneb.enyo.de \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).