On Wed, Nov 04, 2020 at 12:47:09PM -0600, Jeremy Linton wrote: > On 11/4/20 4:50 AM, Mark Brown wrote: > > The effect on pre-BTI hardware is an issue, another option would be for > > systemd to disable this seccomp usage but only after checking for BTI > > support in the system rather than just doing so purely based on the > > architecture. > That works, but your also losing seccomp in the case where the machine is > BTI capable, but the service isn't. So it should really be checking the elf > notes, but at that point you might just as well patch glibc. True, I guess I was assuming that a BTI rebuild is done at the distro level but of course even if that's the case a system could have third party binaries so you can't just assume that the world is BTI.
Attachment:
signature.asc
Description: PGP signature