Sorry, I forgot to this part of the docs: Exec
On exec, shadow stack features are disabled by the kernel. At which point, userspace can choose to re-enable, or lock them. --- This kernel documentation is very confusing. I guess *this* is the reason why programs must be compiled with this feature enabled? I don't know why this feature can't be enabled via the kernel to be inherited on exec, so that all programs can just have it on by default, if you really want to. This is kind of annoying, and I don't understand why exactly it is done this way, since it basically breaks compatibility with NVIDIA, and other proprietary software that you can't directly compile. Scratch my `systemd` suggestion, it isn't possible with the current kernel. Programs will have to have this kernel feature enabled by the program that's being executed *itself,* which is an extremely odd implementation detail that makes no sense IMHO. The implementation of this feature overall seems to be a complete mess, on both the kernel/GCC+LLVM side. I don't really understand the point of the ELF loader flag, when userspace program loaders can't even exec programs to have the feature enabled before a given program's execution execution even begins. What were they thinking??!? Is there some ABI thing that I'm missing here that would break ordinary programs, if the feature was forced on without any specific compiler flags? -- Conclusion -- I don't believe this should be enabled by default, since it might break compatibility with any hardware over 5 years old. I don't think enabling this by default on a separate "security-focused" ISO would be a bad idea, however. In fact, I believe many users would like the addition of security-focused ISOs to Fedora Workstation, and Fedora Server, with a small set of changes that makes Fedora far more secure, and might break compatibility for some users, who prefer older hardware, or prefer to use their machines in a less-secure manner. Sent with Proton Mail secure email. On Tuesday, July 14th, 2026 at 18:40, CS Sushi Man via devel <[email protected]> wrote: > > > On Tuesday, July 14th, 2026 at 18:24, CS Sushi Man via devel > <[email protected]> wrote: > > > if (syscall(SYS_arch_prctl, ARCH_SHSTK_UNLOCK, feature) < 0) > > { > > fprintf(stderr, "Error (failed to unlock): %s.\n", strerror(errno)); > > return 1; > > } > > If the code I sent doesn't work, try removing the if-block I > quoted above. Linux might not like the prospect of non-root > programs unlocking/locking this feature. > > - C. S. Sushi > > > Sent with Proton Mail secure email. -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
