On Tue, 2016-11-08 at 07:34 -0800, Andy Lutomirski wrote: > > Would it not be better to emulate these instructions for them? What > way > > we can verify they're not malicious. > > Forget malice -- if they are really needed for some silly vm86-using > program, let's trap them and emulate them so they return dummy values. > > Also, keep in mind that vm86 is already effectively gated behind a > sysctl for non-root. I think the default should be that, if root has > enabled vm86, it should work. Then should I keep UMIP enabled by default and still provide an option to disable it via a kernel parameter? Also, a third option, umip=novm86 would "disable" UMIP in vm86 tasks. Under the new approach (of emulating the impacted instructions), this option, a #GP fault would still be generated but the actual values of GDT/LDT/IDT/MSW would be passed to user space. Does this make sense? Thanks and BR, Ricardo -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
