Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752158AbcCHVB1 (ORCPT ); Tue, 8 Mar 2016 16:01:27 -0500 Received: from lxorguk.ukuu.org.uk ([81.2.110.251]:56440 "EHLO lxorguk.ukuu.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752042AbcCHVBT (ORCPT ); Tue, 8 Mar 2016 16:01:19 -0500 Date: Tue, 8 Mar 2016 21:00:13 +0000 From: One Thousand Gnomes To: Scott Bauer Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, x86@kernel.org, wmealing@redhat.com, ak@linux.intel.com, luto@amacapital.net, Abhiram Balasubramanian Subject: Re: [PATCH v3 3/3] SROP mitigation: Add sysctl to disable SROP protection. Message-ID: <20160308210013.15ee166d@lxorguk.ukuu.org.uk> In-Reply-To: <1457470075-4586-3-git-send-email-sbauer@eng.utah.edu> References: <1457470075-4586-1-git-send-email-sbauer@eng.utah.edu> <1457470075-4586-3-git-send-email-sbauer@eng.utah.edu> Organization: Intel Corporation X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 425 Lines: 13 On Tue, 8 Mar 2016 13:47:55 -0700 Scott Bauer wrote: > This patch adds a sysctl argument to disable SROP protection. Shouldn't it be a sysctl to enable it irrevocably, otherwise if I have DAC capability I can turn off SROP and attack something to get to higher capability levels ? (The way almost all distros are set up its kind of academic but for a properly secured system it might matter). Alan