On Wed, Jul 01, 2026 at 05:10:00PM +0100, Aoife Moloney via devel-announce wrote: > Wiki - https://fedoraproject.org/wiki/Changes/ShadowStack ... > Two mitigation strategies can be used, depending on the package: > > # Where the `dlopen`ed library can be fixed to include Shadow Stack > support, the library is fixed and rebuilt with the appropriate markup. > This is the preferred fix because it preserves Shadow Stack protection > for the calling application. > # Where the non-compliant code cannot be fixed in time, the calling > application is opted out of Shadow Stack via glibc's > [https://inbox.sourceware.org/libc-alpha/[email protected]/T/#u > System-Wide Tunables] configuration that can be shipped > per-application as a configuration file. This disables Shadow Stack > for that specific application while all other processes retain > protection.
Related to the "what about binary plugins" problem that others have raised, can this be set through the usual environment variable instead of having to use a file? eg. export GLIBC_TUNABLES=glibc.cpu.x86_shstk=off Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
