summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--README.tunables14
-rw-r--r--elf/dl-tunables.list2
-rw-r--r--scripts/gen-tunables.awk12
4 files changed, 21 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog
index 4ec8d83aec..205652ba59 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-03-24 Sunyeop Lee <sunyeop97@gmail.com>
+
+ * README.tunables: Updated descriptions.
+ * elf/dl-tunables.list: Fixed typo: SXID_NONE -> NONE.
+ * scripts/gen-tunables.awk: Updated the code related to the
+ commit.
+
2017-03-23 Wilco Dijkstra <wdijkstr@arm.com>
* benchtests/Makefile (string-benchset): Add memcpy-random.
diff --git a/README.tunables b/README.tunables
index df74f3b24b..aace2fca8f 100644
--- a/README.tunables
+++ b/README.tunables
@@ -58,13 +58,13 @@ The list of allowed attributes are:
- env_alias: An alias environment variable
-- is_secure: Specify whether the tunable should be read for setuid
- binaries. True allows the tunable to be read for
- setuid binaries while false disables it. Note that
- even if this is set as true and the value is read, it
- may not be used if it does not validate against the
- acceptable values or is not considered safe by the
- module.
+- security_level: Specify security level of the tunable. Valid values:
+
+ SXID_ERASE: (default) Don't read for AT_SECURE binaries and
+ removed so that child processes can't read it.
+ SXID_IGNORE: Don't read for AT_SECURE binaries, but retained for
+ non-AT_SECURE subprocesses.
+ NONE: Read all the time.
2. Call either the TUNABLE_SET_VALUE and pass into it the tunable name and a
pointer to the variable that should be set with the tunable value.
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index cb9e8f173b..b9f1488798 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -27,7 +27,7 @@
# removed so that child processes can't read it.
# SXID_IGNORE: Don't read for AT_SECURE binaries, but retained for
# non-AT_SECURE subprocesses.
-# SXID_NONE: Read all the time.
+# NONE: Read all the time.
glibc {
malloc {
diff --git a/scripts/gen-tunables.awk b/scripts/gen-tunables.awk
index e7bfc22b05..601240ac0d 100644
--- a/scripts/gen-tunables.awk
+++ b/scripts/gen-tunables.awk
@@ -51,8 +51,8 @@ $1 == "}" {
if (!env_alias[top_ns][ns][tunable]) {
env_alias[top_ns][ns][tunable] = "NULL"
}
- if (!is_secure[top_ns][ns][tunable]) {
- is_secure[top_ns][ns][tunable] = "SXID_ERASE"
+ if (!security_level[top_ns][ns][tunable]) {
+ security_level[top_ns][ns][tunable] = "SXID_ERASE"
}
tunable = ""
@@ -104,12 +104,12 @@ $1 == "}" {
}
else if (attr == "security_level") {
if (val == "SXID_ERASE" || val == "SXID_IGNORE" || val == "NONE") {
- is_secure[top_ns][ns][tunable] = val
+ security_level[top_ns][ns][tunable] = val
}
else {
- printf("Line %d: Invalid value (%s) for is_secure: %s, ", NR, val,
+ printf("Line %d: Invalid value (%s) for security_level: %s, ", NR, val,
$0)
- print("Allowed values are 'true' or 'false'")
+ print("Allowed values are 'SXID_ERASE', 'SXID_IGNORE', or 'NONE'")
exit 1
}
}
@@ -148,7 +148,7 @@ END {
printf (" {TUNABLE_NAME_S(%s, %s, %s)", t, n, m)
printf (", {TUNABLE_TYPE_%s, %s, %s}, {.numval = 0}, NULL, TUNABLE_SECLEVEL_%s, %s},\n",
types[t][n][m], minvals[t][n][m], maxvals[t][n][m],
- is_secure[t][n][m], env_alias[t][n][m]);
+ security_level[t][n][m], env_alias[t][n][m]);
}
}
}