From 65eff7fbdbddad8c1f9af7cb48cd3b5dca3c5c9d Mon Sep 17 00:00:00 2001 From: Sunyeop Lee Date: Fri, 24 Mar 2017 11:08:28 +0530 Subject: Update old tunables framework document/script. Since commit 8b9e9c3c0bae497ad5e2d0ae2f333f62feddcc12, security_level replaces is_secure. There were some old files need to be updated. 2017-03-23 Sunyeop Lee * README.tunables: Updated descriptions. * elf/dl-tunables.list: Fixed typo: SXID_NONE -> NONE. * scripts/gen-tunables.awk: Updated the code related to the commit. --- README.tunables | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'README.tunables') diff --git a/README.tunables b/README.tunables index df74f3b..aace2fc 100644 --- a/README.tunables +++ b/README.tunables @@ -58,13 +58,13 @@ The list of allowed attributes are: - env_alias: An alias environment variable -- is_secure: Specify whether the tunable should be read for setuid - binaries. True allows the tunable to be read for - setuid binaries while false disables it. Note that - even if this is set as true and the value is read, it - may not be used if it does not validate against the - acceptable values or is not considered safe by the - module. +- security_level: Specify security level of the tunable. Valid values: + + SXID_ERASE: (default) Don't read for AT_SECURE binaries and + removed so that child processes can't read it. + SXID_IGNORE: Don't read for AT_SECURE binaries, but retained for + non-AT_SECURE subprocesses. + NONE: Read all the time. 2. Call either the TUNABLE_SET_VALUE and pass into it the tunable name and a pointer to the variable that should be set with the tunable value. -- cgit v1.1