diff options
| author | Dave Jones <davej@redhat.com> | 2010-09-03 11:22:06 -0400 |
|---|---|---|
| committer | Dave Jones <davej@redhat.com> | 2010-09-03 11:22:06 -0400 |
| commit | 55f50f1d146b2f5d524952234ef1673f196a3b60 (patch) | |
| tree | 23b3f98246e36b382673365961b44bd21d138180 /linux-2.6-i386-nx-emulation.patch | |
| parent | a8df49e8a4fb5b0860f069dbc2ada5109c683058 (diff) | |
| download | kernel-55f50f1d146b2f5d524952234ef1673f196a3b60.tar.gz kernel-55f50f1d146b2f5d524952234ef1673f196a3b60.tar.xz kernel-55f50f1d146b2f5d524952234ef1673f196a3b60.zip | |
Remove the execshield boot parameter.
Based on a patch from Kees Cook
Diffstat (limited to 'linux-2.6-i386-nx-emulation.patch')
| -rw-r--r-- | linux-2.6-i386-nx-emulation.patch | 62 |
1 files changed, 13 insertions, 49 deletions
diff --git a/linux-2.6-i386-nx-emulation.patch b/linux-2.6-i386-nx-emulation.patch index 224fe0587..2ea7645a1 100644 --- a/linux-2.6-i386-nx-emulation.patch +++ b/linux-2.6-i386-nx-emulation.patch @@ -107,7 +107,7 @@ + * If we have either disabled exec-shield on the boot command line, + * or we have NX, then we don't need to do this. + */ -+ if (exec_shield != 0) { ++ if (!disable_nx) { +#ifdef CONFIG_X86_PAE + if (!test_cpu_cap(c, X86_FEATURE_NX)) +#endif @@ -371,19 +371,20 @@ #include <linux/spinlock.h> #include <linux/errno.h> #include <linux/init.h> -@@ -23,6 +24,7 @@ static int __init noexec_setup(char *str) - disable_nx = 0; - } else if (!strncmp(str, "off", 3)) { - disable_nx = 1; -+ exec_shield = 0; - } - x86_configure_nx(); - return 0; +@@ -6,7 +6,7 @@ + #include <asm/pgtable.h> + #include <asm/proto.h> + +-static int disable_nx __cpuinitdata; ++int disable_nx __cpuinitdata; + + /* + * noexec = on|off @@ -40,6 +42,10 @@ void __cpuinit x86_configure_nx(void) void __init x86_report_nx(void) { if (!cpu_has_nx) { -+ if (exec_shield) ++ if (disable_nx) + printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n"); + else + @@ -461,7 +462,7 @@ + * Turn off the CS limit completely if exec-shield disabled or + * NX active: + */ -+ if (!exec_shield || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX)) ++ if (disable_nx || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX)) + arch_add_exec_range(current->mm, -1); +#endif + @@ -474,49 +475,12 @@ struct fs_struct; struct perf_event_context; -+extern int exec_shield; ++extern int disable_nx; +extern int print_fatal_signals; + /* * List of flags we want to share for kernel threads, * if only because they are not used by them anyway. ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -101,6 +101,17 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max; - #ifndef CONFIG_MMU - extern int sysctl_nr_trim_pages; - #endif -+ -+int exec_shield = 1; -+ -+static int __init setup_exec_shield(char *str) -+{ -+ get_option(&str, &exec_shield); -+ -+ return 1; -+} -+__setup("exec-shield=", setup_exec_shield); -+ - #ifdef CONFIG_BLOCK - extern int blk_iopoll_enabled; - #endif -@@ -428,6 +448,16 @@ static struct ctl_table kern_table[] = { - .mode = 0644, - .proc_handler = proc_dointvec, - }, -+#ifdef CONFIG_X86_32 -+ { -+ .procname = "exec-shield", -+ .data = &exec_shield, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = &proc_dointvec, -+ }, -+#endif -+ - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", --- b/mm/mmap.c +++ b/mm/mmap.c @@ -44,6 +45,18 @@ |