lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 May 2020 18:57:15 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: Christian Brauner <christian.brauner@...ntu.com> Cc: Jann Horn <jannh@...gle.com>, Kees Cook <keescook@...omium.org>, Al Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, Eric Biggers <ebiggers3@...il.com>, Dmitry Vyukov <dvyukov@...gle.com>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, linux-security-module <linux-security-module@...r.kernel.org>, Linux API <linux-api@...r.kernel.org>, kernel list <linux-kernel@...r.kernel.org> Subject: Re: [PATCH 1/4] exec: Change uselib(2) IS_SREG() failure to EACCES Christian Brauner <christian.brauner@...ntu.com> writes: > On Mon, May 18, 2020 at 04:43:20PM +0200, Jann Horn wrote: >> On Mon, May 18, 2020 at 3:03 PM Christian Brauner >> <christian.brauner@...ntu.com> wrote: >> > Also - gulp (puts on flame proof suit) - may I suggest we check if there >> > are any distros out there that still set CONFIG_USELIB=y >> >> Debian seems to have it enabled on x86... >> >> https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/config/kernelarch-x86/config#L1896 >> >> A random Ubuntu 19.10 VM I have here has it enabled, too. > > I wonder if there's any program - apart from _ancient_ glibc out there > that actually use it... > I looked at uselib in codsearch but the results were quite unspecific > but I didn't look too close. So the thing to do is to have a polite word with people who build Ubuntu and Debian kernels and get them to disable the kernel .config. A quick look suggets it is already disabled in RHEL8. It cannot be disabled in RHEL7. Then in a few years we can come back and discuss removing the uselib system call, base on no distributions having it enabled. If it was only libc4 and libc5 that used the uselib system call then it can probably be removed after enough time. We can probably reorganize the code before the point it is clearly safe to drop support for USELIB to keep it off to the side so USELIB does not have any ongoing mainteance costs. For this patchset I think we need to assume uselib will need to be maintained for a bit longer. Eric
Powered by blists - more mailing lists