Re: [PATCH] VFS: add config options to enable link restrictions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Oct 26, 2012 at 12:21 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, Oct 26, 2012 at 11:50 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>> There are situations where devices running without initrds may need
>> very early protection from link vulnerabilities
>
> I really don't see what this argument is all about.
>
> If you don't have initrd, you still have early bootup scripts etc.
>
> If your early bootup has security problems, you have security
> problems. It has nothing to do with initrd, or with restricted links,
> or anything else.

I think there's value in being able to enable these protections at
build-time so there's no need for a distro to have to ship extra
files/lines, spend time setting it, etc. This isn't like other
tunables, IMO.

> I also refuse to add these kinds of micro-management config options
> and ask any kind of normal person these kinds of "do you want this
> random crazy feature". A config option would need to be way more sane,
> not this kind of micro-management.

Would a single config item be acceptable? What would be an agreeable
way to enable this at build-time?

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux