Re: stop breaking dosemu (Re: x86/kconfig/32: Rename CONFIG_VM86 and default it to 'n')

[Stas Sergeev <stsp@list.ru>]

03.09.2015 15:01, Austin S Hemmelgarn пишет:
> On 2015-09-02 17:12, Stas Sergeev wrote:
>> 02.09.2015 23:55, Andy Lutomirski пишет:
>>> On Wed, Sep 2, 2015 at 1:47 PM, Stas Sergeev <stsp@list.ru> wrote:
>>>> 02.09.2015 23:22, Josh Boyer пишет:
>>>>> On Wed, Sep 2, 2015 at 1:50 PM, Stas Sergeev <stsp@list.ru> wrote:
>>>>>> 02.09.2015 20:46, Josh Boyer пишет:
>>>>>>> On Wed, Sep 2, 2015 at 10:08 AM, Andy Lutomirski
>>>>>>> <luto@amacapital.net>
>>>>>>> wrote:
>>>>>>>> I'd be amenable to switching the default back to y and perhaps
>>>>>>>> adding
>>>>>>>> a sysctl to make the distros more comfortable.  Ingo, Kees, Brian,
>>>>>>>> what do you think?
>>>>>>> Can you please leave the default as N, and have a sysctl option to
>>>>>>> enable it instead?  While dosemu might still be in use, it isn't
>>>>>>> going
>>>>>>> to be the common case at all.  So from a distro perspective, I think
>>>>>>> we'd probably rather have the default match the common case.
>>>>>> The fact that fedora doesn't package dosemu, doesn't automatically
>>>>>> mean all other distros do not too. Since when kernel defaults should
>>>>>> match the ones of fedora?
>>>>> I didn't say that.
>>>> What you said was:
>>>> ---
>>>>
>>>> While dosemu might still be in use, it isn't going
>>>> to be the common case at all.  So from a distro perspective
>>>>
>>>> ---
>>>> ... which is likely true only in fedora circe.
>>>>
>>>>>     The default right now is N.
>>>> In a not yet released kernel, unless I am mistaken.
>>>> If fedora already provides that kernel, other distros likely not.
>>>>
>>>>>     I asked it be left
>>>>> that way.  That's all.
>>>> Lets assume its not yet N, unless there was a kernel release already.
>>>> Its easy to get back if its not too late.
>>> How about CONFIG_SYSCTL_VM86_DEFAULT which defaults to Y?  Fedora
>>> could set it to N.
>> Sorry, I don't understand this sysctl proposal.
>> Could you please educate me what is it all about?
>> This sysctl will disable or enable the vm86() syscall at run-time,
>> right? What does it give us? If you disable something in the
>> config, this gives you, say, smaller kernel image. If OTOH you
>> add the run-time switch, it gives you a bigger image, regardless
>> of its default value.
>> I might be missing something, but I don't understand what
>> problem will this solve? Have I missed some earlier message
>> in this thread?
> The problem this solves is not kernel size, that is not the only reason for wanting to disable a system call.  In this case, it's a system call that is unused by all but a very few programs, which are
> in turn used by a small percentage of users, and said system call does quite a few things that are potentially very dangerous.  Disabling it reduces the attack surface of the system.
Well, thanks for explaining the marketing part of the problem
(initially I wasn't aware, but now Andy already spelled it too),
but the reality is different.