===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/67.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -c -r1.1 -r1.2
*** www/67.html 2020/05/06 12:20:45 1.1
--- www/67.html 2020/05/06 12:36:08 1.2
***************
*** 669,684 ****
features and auditing it. The kernel API accessible to these
programs is now restricted through pledge(2).
!
!
!
"syscall call-from" checking
! Introduced msyscall(2), permitting
! system calls from selected code regions only: the main program, ld.so(1), libc.so and
! sigtramp. This is intended to harden against a mixture of W^X failures
! and JIT bugs allowing syscall misinterpretation.
!
Prevented stack trace saving from inspecting untrusted data on
amd64, arm64 and i386.
Used lfence in place of stac/clac on pre-SMAP CPUs to protect
--- 669,680 ----
features and auditing it. The kernel API accessible to these
programs is now restricted through pledge(2).
! System calls may now only be performed from selected code regions:
! the main program, ld.so(1),
! libc.so and the signal trampoline. A new system call
! msyscall(2) indicates
! the the libc range, and activates the locking. This change hardens
! against some attack methods.
Prevented stack trace saving from inspecting untrusted data on
amd64, arm64 and i386.
Used lfence in place of stac/clac on pre-SMAP CPUs to protect