Re: STIBP by default.. Revert?

From: Willy Tarreau
Date: Sun Nov 18 2018 - 22:51:41 EST

Next message: Herbert Xu: "Re: [PATCH] rhashtable: detect when object movement between tables might have invalidated a lookup"
Previous message: Ming Lei: "Re: [PATCH V10 01/19] block: introduce multi-page page bvec helpers"
In reply to: Andi Kleen: "Re: STIBP by default.. Revert?"
Next in thread: Thomas Gleixner: "Re: STIBP by default.. Revert?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Nov 18, 2018 at 02:40:28PM -0800, Tim Chen wrote:
> Tasks that want extra security will enable that via prctl interface or
> making themselves non-dumpable.

Well, you need to be careful regarding the last part of your option
above, because a number of network daemons become non-dumpable by
executing setuid() at boot, and certainly don't want to suffer a
performance loss as a side effect of wanting to become "normally"
secure. I'd suggest to use the prctl only so that it doesn't
randomly hit innocent applications that would only have as a last
resort to turn off reasonable security features to avoid this impact.

Regards,
Willy

Next message: Herbert Xu: "Re: [PATCH] rhashtable: detect when object movement between tables might have invalidated a lookup"
Previous message: Ming Lei: "Re: [PATCH V10 01/19] block: introduce multi-page page bvec helpers"
In reply to: Andi Kleen: "Re: STIBP by default.. Revert?"
Next in thread: Thomas Gleixner: "Re: STIBP by default.. Revert?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]