CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/05/29 17:32:52
Modified files:
sys/kern : exec_elf.c
Log message:
Disable kbind() and pinsyscalls() for static binaries at the correct
time, which is inside exec_elf_makecmds(). Amusingly, it looks like
these protection mechanisms are not needed because other process state
protects against kbind use since we completed the switch to static pie.
Also any priviledged static binary (which we ship, setuid or daemon) is
not going to contain a pinsyscall or kbind slot in the loaded pinsyscalls
table, so they cannot perform those. Only synthetic binaries with their
own pinsyscalls table could play, but of course they won't run with
priviledge..
from Andrew Griffiths at Calif
ok kettenis, andrew also approves of this approach
