From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752120AbbHEIAs (ORCPT ); Wed, 5 Aug 2015 04:00:48 -0400 Received: from mail-wi0-f179.google.com ([209.85.212.179]:36670 "EHLO mail-wi0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750966AbbHEIAq (ORCPT ); Wed, 5 Aug 2015 04:00:46 -0400 Date: Wed, 5 Aug 2015 10:00:37 +0200 From: Ingo Molnar To: Willy Tarreau Cc: Andy Lutomirski , Kees Cook , Steven Rostedt , "security@kernel.org" , X86 ML , Borislav Petkov , Sasha Levin , LKML , Konrad Rzeszutek Wilk , Boris Ostrovsky , Andrew Cooper , Jan Beulich , xen-devel Subject: Re: [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time Message-ID: <20150805080037.GA14472@gmail.com> References: <1438626217-23970-1-git-send-email-w@1wt.eu> <20150804084911.GA24204@1wt.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150804084911.GA24204@1wt.eu> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Willy Tarreau wrote: > @@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr, > { > int ret = -ENOSYS; > > + if (!sysctl_modify_ldt) { > + printk_ratelimited(KERN_INFO > + "Denied a call to modify_ldt() from %s[%d] (uid: %d)." > + " Adjust sysctl if this was not an exploit attempt.\n", > + current->comm, task_pid_nr(current), > + from_kuid_munged(current_user_ns(), current_uid())); UI nit: so this message should really tell the user _which_ sysctl to configure, instead of passive-aggressively alluding to the fact that there's a sysctl somewhere that might do the trick... Thanks, Ingo