From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=0byR=F7=gotplt.org=siddhesh@sourceware.org>
Received: from bee.birch.relay.mailchannels.net (bee.birch.relay.mailchannels.net [23.83.209.14])
	by sourceware.org (Postfix) with ESMTPS id 24CAF3858D33
	for <libc-alpha@sourceware.org>; Tue, 17 Oct 2023 14:17:15 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 24CAF3858D33
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 24CAF3858D33
Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.209.14
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1697552237; cv=pass;
	b=DgKXRe2vYr8uyIpZjfu9d+OVLN8NxwNVM37n/O11qsWqYOfqN/mozIps9HJbHDvrsxQtXlceIEIc13/zUC7bEKe9jX7oBOVuIkXJS3ZIoHVTvlg9RfwXVF62+HNEwPWhytMRGy/BVm91DDcrlXrXlUdZT9zLcyl8TTbliyQWY0c=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
	t=1697552237; c=relaxed/simple;
	bh=yipu4ncFWBc4WhfYZxpLxSr93eoj0y0MqVv/mCZUtDk=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=xBiT44ndY756f/6vkMjw3Z8PJs8y4ZGxjGz97o75IIBAODwGUSmowWpRmXvFcdtWHiM96P72WhOfnF32qMzFTaCZYBkZgCmEqia3G5yqYFAmJ1vpoLmmq01egtQKBVPEXVgLpGJvHcG1UwtXjyO6Nxq7jHzZ7Yt/OQ7p1z8tQlA=
ARC-Authentication-Results: i=2; server2.sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id 90A48501BF2;
	Tue, 17 Oct 2023 14:17:13 +0000 (UTC)
Received: from pdx1-sub0-mail-a202.dreamhost.com (unknown [127.0.0.6])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id E12E0501E53;
	Tue, 17 Oct 2023 14:17:12 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1697552232; a=rsa-sha256;
	cv=none;
	b=N1rxT7c6gQlHshpsj0NTorQJuFODrHCPabpJyQrbkBhgdCmb79cwuCE/+gfWuo2p1LjMHL
	5lPowmmsfUfQ6PDif+x6lK7Sge+CXnZyTcl9+pCuGGduBSlrzMm0sfepaEIYzsGTbnRKqI
	6dD8s8HPFGDMsg4rSAuAhoYmVoJiGeHwftfU62FvgBQItilBKEgPmw/vXS6rDB1PLqp3Ft
	jPzL37yN+zZrpLyabxTcoR7ozQeTvj7AOCGP4uMo8xFlrkeL9mzSIBfNi0zO6gm/WG1T43
	CYLAA0UUxwDHAEQxQcfTiDPm3cn0TBI/xZbm7cDhCU4WImpbZnnx72HyCH9wnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1697552232;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=A4fWA6f/zJtzz31WZhLL1dNda8FYy6SVqK/gZnGMKOw=;
	b=tqMbOleBTNjDM5zLFPTzKeXyF/0vU9Lq8DmXtoQW3oCW3DtQp4bW2+Q+qJy8tZeij1Xr+s
	HV/bK3JmULYX+G2pALisLxi3PRXffrDtWNDgj9ybt1W4hGdAvKYIshUy/57uuOpFm3ZrOt
	Y2iESoDOFFUoQSBwDshvGeYZzTVJLGruiB8upR6bVkjtkcsKowbgvFYwElZUfe7ILEnflr
	HtnSuKLm8tcf3Fb+IDTTuncSzEW5zCXK+44PGQTvg4zlRvkY8tfk3SXlFm6JRpkEcEi09t
	wUqfJiVDLpGl9X9ZDz4fs1E82EuQ5023YqoVzKFnrMN2NAy5N9hz2me6l7t2DA==
ARC-Authentication-Results: i=1;
	rspamd-554cd65b86-z7cgh;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Well-Made-Eyes: 35197ddb707dc359_1697552233417_1470296913
X-MC-Loop-Signature: 1697552233417:2039316595
X-MC-Ingress-Time: 1697552233417
Received: from pdx1-sub0-mail-a202.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.113.192.191 (trex/6.9.2);
	Tue, 17 Oct 2023 14:17:13 +0000
Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-136.dsl.bell.ca [142.113.138.136])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: siddhesh@gotplt.org)
	by pdx1-sub0-mail-a202.dreamhost.com (Postfix) with ESMTPSA id 4S8wzD2txjz61;
	Tue, 17 Oct 2023 07:17:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org;
	s=dreamhost; t=1697552232;
	bh=A4fWA6f/zJtzz31WZhLL1dNda8FYy6SVqK/gZnGMKOw=;
	h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding;
	b=cWdQz6RLYH/WqWLKSDSvgXCYMm7g9CBg4MxMLFs4TFY2+Y1M6HddjrFtc+xVpJTc7
	 Ls+ZcOlb3j8B/5iu5B1pgvDOud4ED6W8s1/9zIJIliKYQG0NXs145MlhJcNCOTf8Rx
	 Vg3I/LMQdJ12ROB/Iy8rsQrvF4sEXs1jd3ywG34fOtsKxT4HLdzVeYHwVEUoi5sLqR
	 m0iaLebXO745uRgV5hcJ6ZkjG92Dv0pTaSMilS1vxAl4rAwTjr9yUQnu7CIIklaENg
	 dnm4NSzMI4afBojwFZVLbcyIuPWZ019gbO6YbtoVfFtNznxr1vZq/vifx9rl1njFbx
	 9IdOLltmOewoQ==
Message-ID: <8b216d3c-5f38-3ef5-1764-8cd811936714@gotplt.org>
Date: Tue, 17 Oct 2023 10:17:11 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Subject: Re: RFC: system-wide default tunables
To: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
 DJ Delorie <dj@redhat.com>
Cc: libc-alpha@sourceware.org
References: <xnmswvxzuh.fsf@greed.delorie.com>
 <cf589d17-c71b-48bd-a500-67a6b445a082@linaro.org>
Content-Language: en-US
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
In-Reply-To: <cf589d17-c71b-48bd-a500-67a6b445a082@linaro.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3031.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On 2023-10-17 10:10, Adhemerval Zanella Netto wrote:
> But we already have opt-in security features with glibc.cpu.x86_ibt,
> glibc.cpu.x86_shstk, and glibc.mem.tagging.  At least the x86 ones,
> the default is set by an ELF property (assuming --enable-cet), but
> memory tagging is complete opt-in.
> 
> That's why I think we either need to add some security context on
> system-wide tunables; where the tunable can not be override by user;
> or move the opt-in security tunable to a different mechanism.

Only stricter overrides to systemwide tunables should be allowed, e.g. 
going from enabled memory tagging to disabled memory tagging.  For 
numeric values such as mmap_threshold, we may need to figure out on a 
case by case basis what constitutes "stricter".

Thanks,
Sid