===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/67.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- www/67.html 2020/05/06 12:20:45 1.1
+++ www/67.html 2020/05/06 12:36:08 1.2
@@ -669,16 +669,12 @@
features and auditing it. The kernel API accessible to these
programs is now restricted through pledge(2).
-
-
-
"syscall call-from" checking
- Introduced msyscall(2), permitting
- system calls from selected code regions only: the main program, ld.so(1), libc.so and
- sigtramp. This is intended to harden against a mixture of W^X failures
- and JIT bugs allowing syscall misinterpretation.
-
+ System calls may now only be performed from selected code regions:
+ the main program, ld.so(1),
+ libc.so and the signal trampoline. A new system call
+ msyscall(2) indicates
+ the the libc range, and activates the locking. This change hardens
+ against some attack methods.
Prevented stack trace saving from inspecting untrusted data on
amd64, arm64 and i386.
Used lfence in place of stac/clac on pre-SMAP CPUs to protect