* Andy Lutomirski:
> Is there a reason you didn't just change the check earlier in the
> function to:
>
> if (vsyscall_mode == NONE || current->mm->context.vsyscall_disabled)
Andrei requested that I don't print anything if vsyscall was disabled.
The original patch used a different message for better diagnostics.
> Also, I still think the prctl should not be available if
> vsyscall=emulate. Either we should fully implement it or we should
> not implement. We could even do:
>
> pr_warn_once("userspace vsyscall hardening request ignored because you
> have vsyscall=emulate. Unless you absolutely need vsyscall=emulate,
> update your system to use vsyscall=xonly.\n");
>
> and thus encourage good behavior.
I think there is still some hardening applied even with
vsyscall=emulate. The question is what is more important: the
additional hardening, or clean, easily described behavior of the
interface.
Maybe ARCH_VSYSCALL_CONTROL could return different values based on to
what degree it could disable vsyscall?
The pr_warn_once does not seem particularly useful. Anyone who upgrades
glibc and still uses vsyscall=emulate will see that, with no way to
disable it.
Thanks,
Florian
