Congrats to Kees Cook, who patiently managed to get this in.
But the slow pace of getting security-tightening mechanisms into the kernel is embarrassing.
It's absurd to wait until "all applications as libraries are perfect" as a security strategy. We need a "plan B". A kernel cannot prevent all errors from becoming security vulnerabilities, but where the kernel can reasonably prevent them or reduce their effects, it should do so.
We should be making security-tightening measures a high priority, not something that's done as a last resort. We should be searching for those mechanisms, not trying to prevent their inclusion.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds