On Fri, Mar 09, 2018 at 01:04:39AM +0000, Andy Lutomirski wrote: > On Fri, Mar 9, 2018 at 12:57 AM, Alexei Starovoitov <ast@xxxxxx> wrote: > > On 3/8/18 4:24 PM, Kees Cook wrote: > >> > >> As Andy asked earlier, why not DYN too to catch PIE executables? Seems > >> like forcing the userspace helper to be non-PIE would defeat some of > >> the userspace defenses in use in most distros. > > > > > > because we don't add features without concrete users. > > I disagree here. If you're going to add a magic trick that triggers > an execve(), then I think you should either support *both* standard, > widely-used types of ELF programs or you should give a compelling use > case that works for ET_EXEC but not for ET_DYN. Keep in mind that > many distros have a very strong preference for ET_DYN. misunderstanding here is that this bpfiler.ko is part of _kernel build_. Kernel decides how it's build. Nothing to do with distros. Current Makefile is very dumb and it's built with HOSTCC: https://git.kernel.org/pub/scm/linux/kernel/git/ast/bpf.git/tree/net/bpfilter/Makefile?h=ipt_bpf but it will be standalone with CC before final to make sure crosscompiling works. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
