Re: thoughts on kernel security issues

[Valdis . Kletnieks]

On Thu, 20 Jan 2005 13:16:33 EST, John Richard Moser said:

> > 1) the halving of the per-process VM space from 3GB to 1.5GB.

> Which has *never* caused a problem in anything I've ever used, and can
> be disabled on a per-process basis.

Just because something has never caused *you* a problem doesn't mean that
it's suitable for inclusion in something like RedHat where it's almost
certain to cause a problem for *some* user.

> > [ 3) requires manual tagging of applications. ]
> > 
> 
> Good.  Maybe distributors will actually know what they're talking about
> when flapping their mouths, rather than say "Oh look PaX it's magic so
> we just need to turn it on!"  Even I (at user level) examine everything
> I'm using and try to understand it; I don't expect all users to do this,
> but the distribution has to.

OK.. but then you say...

> PT_GNU_STACK is actually explicitly disabled -- apparently this is hard
> work, as my distribution can't seem to always keep up with it or get it
> quite right.

Can you explain why your distro has difficulty getting PT_GNU_STACK 100%
right, but you expect them to get tagging of apps with a flag that has
almost identical semantics to PT_GNU_STACK correct?

Attachment: pgp00000.pgp
Description: PGP signature