From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <fw@deneb.enyo.de>
Received: from albireo.enyo.de (albireo.enyo.de [37.24.231.21])
 by sourceware.org (Postfix) with ESMTPS id 1A79B383F852
 for <libc-alpha@sourceware.org>; Wed, 29 Apr 2020 20:46:09 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 1A79B383F852
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=deneb.enyo.de
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=fw@deneb.enyo.de
Received: from [172.17.203.2] (helo=deneb.enyo.de)
 by albireo.enyo.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 id 1jTtap-0000Fn-DD; Wed, 29 Apr 2020 20:46:07 +0000
Received: from fw by deneb.enyo.de with local (Exim 4.92)
 (envelope-from <fw@deneb.enyo.de>)
 id 1jTtap-0001wP-AP; Wed, 29 Apr 2020 22:46:07 +0200
From: Florian Weimer <fw@deneb.enyo.de>
To: Adhemerval Zanella via Libc-alpha <libc-alpha@sourceware.org>
Subject: Re: [PATCH 0/3] x86: Add --enable-cet=permissive
References: <20200428215243.236312-1-hjl.tools@gmail.com>
 <eaff7b7d-63c6-e495-0d57-86fb225f9c20@linaro.org>
Date: Wed, 29 Apr 2020 22:46:07 +0200
In-Reply-To: <eaff7b7d-63c6-e495-0d57-86fb225f9c20@linaro.org> (Adhemerval
 Zanella via Libc-alpha's message of "Wed, 29 Apr 2020 14:19:51 -0300")
Message-ID: <87ees6ggvk.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 20:46:10 -0000

* Adhemerval Zanella via Libc-alpha:

> On 28/04/2020 18:52, H.J. Lu via Libc-alpha wrote:
>> When CET is enabled, it is an error to dlopen a non CET enabled shared
>> library in CET enabled application.  It may be desirable to make CET
>> permissive, that is disable CET when dlopening a non CET enabled shared
>> library.  With the new --enable-cet=permissive configure option, CET is
>> disabled when dlopening a non CET enabled shared library.
>
> Does not CET already provide a tunable to make it permissive? If the idea
> is to enable as de-facto for a distro bootstrap, why not make it default
> then?

We currently do not have a way to set a tunable for SUID binaries.

This means that it would be necessary to disable CET at the kernel or
hypervisor level if the system depends on pre-CET NSS or PAM modules
for its operation (or something else which is ultimately
dlopen-based).