From mboxrd@z Thu Jan  1 00:00:00 1970
From: Willy Tarreau <w@1wt.eu>
Subject: Re: [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
Date: Sat, 25 Jul 2015 18:35:27 +0200
Message-ID: <20150725163527.GE17659__45128.8342629143$1437842239$gmane$org@1wt.eu>
References: <cover.1437802102.git.luto@kernel.org>
	<7286d77aa81abc38dc40362e2439861427064f6f.1437802102.git.luto@kernel.org>
	<20150725091531.GE3427@nazgul.tnic>
	<CALCETrV_oeS_kA3oNirWTwc00ze2v=QLmx6tZKU7sxt_+gMcAg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Content-Disposition: inline
In-Reply-To: <CALCETrV_oeS_kA3oNirWTwc00ze2v=QLmx6tZKU7sxt_+gMcAg@mail.gmail.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Andy Lutomirski <luto@amacapital.net>
Cc: "security@kernel.org" <security@kernel.org>, Jan Beulich <jbeulich@suse.com>, Peter Zijlstra <peterz@infradead.org>, Andrew Cooper <andrew.cooper3@citrix.com>, X86 ML <x86@kernel.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, Steven Rostedt <rostedt@goodmis.org>, xen-devel <xen-devel@lists.xen.org>, Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>, Sasha Levin <sasha.levin@oracle.com>, Boris Ostrovsky <boris.ostrovsky@oracle.com>
List-Id: xen-devel@lists.xenproject.org

On Sat, Jul 25, 2015 at 09:03:54AM -0700, Andy Lutomirski wrote:
> On Sat, Jul 25, 2015 at 2:15 AM, Borislav Petkov <bp@alien8.de> wrote:
> > Is that "default y" going to turn into a "default n" after a grace
> > period?
> 
> Let's see how Willy's default-off sysctl plays out.  In the long run,
> maybe we'll have it compiled in but runtime-disabled by default.

That's the purpose at least at the beginning.

> There's a big community of users who *really* like using Wine :)

If distro vendors are willing to document a sysctl setting in order
to be able to use Wine in exchange for better security, I'm sure most
users will still prefer to stay safe.

Willy