On Sun, Nov 18, 2018 at 02:40:28PM -0800, Tim Chen wrote:
Tasks that want extra security will enable that via prctl interface or making themselves non-dumpable.
Well, you need to be careful regarding the last part of your option above, because a number of network daemons become non-dumpable by executing setuid() at boot, and certainly don't want to suffer a performance loss as a side effect of wanting to become "normally" secure. I'd suggest to use the prctl only so that it doesn't randomly hit innocent applications that would only have as a last resort to turn off reasonable security features to avoid this impact.
Regards, Willy