picnoir/glibc
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Reword description of SXID_* tunable properties

Browse source 
The SXID_* tunable properties only influence processes that are
AT_SECURE, so make that a bit more explicit in the documentation and
comment.

Revisiting the code after a few years I managed to confuse myself, so
I imagine there could be others who may have incorrectly assumed like
I did that the SXID_ERASE tunables are not inherited by children of
non-AT_SECURE processes.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
This commit is contained in:
Siddhesh Poyarekar 2020-10-22 11:39:00 +05:30
parent 4be44c3208
commit 6c2b579962
2 changed files with 12 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
elf/dl-tunables.list
View file

@ -21,12 +21,13 @@
# minval: Optional minimum acceptable value
# maxval: Optional maximum acceptable value
# env_alias: An alias environment variable
# security_level: Specify security level of the tunable. Valid values are:
# security_level: Specify security level of the tunable for AT_SECURE binaries.
# Valid values are:
#
# SXID_ERASE: (default) Don't read for AT_SECURE binaries and
# removed so that child processes can't read it.
# SXID_IGNORE: Don't read for AT_SECURE binaries, but retained for
# non-AT_SECURE subprocesses.
# SXID_ERASE: (default) Do not read and do not pass on to
# child processes.
# SXID_IGNORE: Do not read, but retain for non-AT_SECURE
# subprocesses.
# NONE: Read all the time.
glibc {

11
manual/README.tunables
View file

@ -59,12 +59,13 @@ The list of allowed attributes are:
- env_alias: An alias environment variable
- security_level: Specify security level of the tunable. Valid values:
- security_level: Specify security level of the tunable for AT_SECURE
binaries. Valid values are:
SXID_ERASE: (default) Don't read for AT_SECURE binaries and
removed so that child processes can't read it.
SXID_IGNORE: Don't read for AT_SECURE binaries, but retained for
non-AT_SECURE subprocesses.
SXID_ERASE: (default) Do not read and do not pass on to
child processes.
SXID_IGNORE: Do not read, but retain for non-AT_SECURE
child processes.
NONE: Read all the time.
2. Use TUNABLE_GET/TUNABLE_SET/TUNABLE_SET_WITH_BOUNDS to get and set tunables.