[PATCH 0/3] x86: Add --enable-cet=permissive
Adhemerval Zanella
adhemerval.zanella@linaro.org
Wed Apr 29 21:14:37 GMT 2020
On 29/04/2020 17:46, Florian Weimer wrote:
> * Adhemerval Zanella via Libc-alpha:
>
>> On 28/04/2020 18:52, H.J. Lu via Libc-alpha wrote:
>>> When CET is enabled, it is an error to dlopen a non CET enabled shared
>>> library in CET enabled application. It may be desirable to make CET
>>> permissive, that is disable CET when dlopening a non CET enabled shared
>>> library. With the new --enable-cet=permissive configure option, CET is
>>> disabled when dlopening a non CET enabled shared library.
>>
>> Does not CET already provide a tunable to make it permissive? If the idea
>> is to enable as de-facto for a distro bootstrap, why not make it default
>> then?
>
> We currently do not have a way to set a tunable for SUID binaries.
>
> This means that it would be necessary to disable CET at the kernel or
> hypervisor level if the system depends on pre-CET NSS or PAM modules
> for its operation (or something else which is ultimately
> dlopen-based).
Doesn't disable CET on some modules defeat the very security effort? If so,
why should it be a build option on glibc?
More information about the Libc-alpha
mailing list