From: Willy Tarreau <w@1wt.eu>
To: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Jiri Kosina <jikos@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
Casey Schaufler <casey.schaufler@intel.com>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
the arch/x86 maintainers <x86@kernel.org>,
stable@vger.kernel.org
Subject: Re: STIBP by default.. Revert?
Date: Mon, 19 Nov 2018 04:48:46 +0100 [thread overview]
Message-ID: <20181119034846.GA11333@1wt.eu> (raw)
In-Reply-To: <32d00fb2-7187-ed6f-ab1e-287151e82b3a@linux.intel.com>
On Sun, Nov 18, 2018 at 02:40:28PM -0800, Tim Chen wrote:
> Tasks that want extra security will enable that via prctl interface or
> making themselves non-dumpable.
Well, you need to be careful regarding the last part of your option
above, because a number of network daemons become non-dumpable by
executing setuid() at boot, and certainly don't want to suffer a
performance loss as a side effect of wanting to become "normally"
secure. I'd suggest to use the prctl only so that it doesn't
randomly hit innocent applications that would only have as a last
resort to turn off reasonable security features to avoid this impact.
Regards,
Willy
next prev parent reply other threads:[~2018-11-19 3:49 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-18 20:36 STIBP by default.. Revert? Linus Torvalds
2018-11-18 21:49 ` Jiri Kosina
2018-11-18 21:59 ` Willy Tarreau
2018-11-18 22:00 ` Linus Torvalds
2018-11-18 22:17 ` Jiri Kosina
2018-11-18 22:35 ` Dave Hansen
2018-11-18 22:36 ` Tony Luck
2018-11-18 22:36 ` Linus Torvalds
2018-11-18 22:55 ` Tim Chen
2018-11-18 23:56 ` Andi Kleen
2018-11-18 22:40 ` Tim Chen
2018-11-18 23:58 ` Andi Kleen
2018-11-19 3:48 ` Willy Tarreau [this message]
2018-11-19 12:49 ` Thomas Gleixner
2018-11-18 23:01 ` Jiri Kosina
2018-11-18 23:04 ` Arjan van de Ven
2018-11-20 15:27 ` Jiri Kosina
2018-11-20 23:43 ` Arjan van de Ven
2018-11-19 8:38 ` Ingo Molnar
2018-11-19 8:43 ` Jiri Kosina
2018-11-20 15:20 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181119034846.GA11333@1wt.eu \
--to=w@1wt.eu \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=casey.schaufler@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.