On Wed, Jul 01, 2026 at 05:10:00PM +0100, Aoife Moloney via devel-announce 
wrote:
> Wiki - https://fedoraproject.org/wiki/Changes/ShadowStack
...
> Two mitigation strategies can be used, depending on the package:
> 
> # Where the `dlopen`ed library can be fixed to include Shadow Stack
> support, the library is fixed and rebuilt with the appropriate markup.
> This is the preferred fix because it preserves Shadow Stack protection
> for the calling application.
> # Where the non-compliant code cannot be fixed in time, the calling
> application is opted out of Shadow Stack via glibc's
> [https://inbox.sourceware.org/libc-alpha/[email protected]/T/#u
> System-Wide Tunables] configuration that can be shipped
> per-application as a configuration file. This disables Shadow Stack
> for that specific application while all other processes retain
> protection.

Related to the "what about binary plugins" problem that others have
raised, can this be set through the usual environment variable instead
of having to use a file? eg.

  export GLIBC_TUNABLES=glibc.cpu.x86_shstk=off

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to