Re: [PATCH v4 1/1] exec: seal system mappings

From: Kees Cook
Date: Mon Jan 06 2025 - 20:17:22 EST

Next message: Yosry Ahmed: "Re: [PATCH v5 11/12] mm: zswap: Restructure & simplify zswap_store() to make it amenable for batching."
Previous message: Peter Schneider: "Re: [PATCH 6.6 000/222] 6.6.70-rc1 review"
In reply to: Liam R. Howlett: "Re: [PATCH v4 1/1] exec: seal system mappings"
Next in thread: Lorenzo Stoakes: "Re: [PATCH v4 1/1] exec: seal system mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 03, 2025 at 03:48:23PM -0500, Liam R. Howlett wrote:
> So we have at least two userspace uses that this will breaks: checkpoint
> restore and now gVisor, but who knows what else? How many config
> options before we decide this can't be just on by default?

See my reply to Lorenzo, but I'm not arguing for it to be enabled by
default. I was trying to show how we traditionally handle these kinds
of features: putting their enablement behind a Kconfig and boot param
that work together. That way distro kernels have it _available_ without
making it _enabled_, and specialty kernels can have in enabled by default
(and can disable it at boot if needed too).

--
Kees Cook

Next message: Yosry Ahmed: "Re: [PATCH v5 11/12] mm: zswap: Restructure & simplify zswap_store() to make it amenable for batching."
Previous message: Peter Schneider: "Re: [PATCH 6.6 000/222] 6.6.70-rc1 review"
In reply to: Liam R. Howlett: "Re: [PATCH v4 1/1] exec: seal system mappings"
Next in thread: Lorenzo Stoakes: "Re: [PATCH v4 1/1] exec: seal system mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]