Remove the execshield boot parameter.

Based on a patch from Kees Cook
This commit is contained in:
Dave Jones 2010-09-03 11:22:06 -04:00
parent a8df49e8a4
commit 55f50f1d14
2 changed files with 17 additions and 49 deletions

View File

@ -1876,6 +1876,10 @@ fi
# || || # || ||
%changelog %changelog
* Fri Sep 03 2010 Dave Jones <davej@redhat.com>
- Remove the execshield boot parameter.
Based on a patch from Kees Cook
* Thu Sep 02 2010 Chuck Ebbert <cebbert@redhat.com> - 2.6.36-0.15.rc3.git0 * Thu Sep 02 2010 Chuck Ebbert <cebbert@redhat.com> - 2.6.36-0.15.rc3.git0
- Add patch from ALSA mailing list to try to fix bug #628404 - Add patch from ALSA mailing list to try to fix bug #628404
- tpm-fix-stall-on-boot.patch: attempt to fix stalls during boot (#530393) - tpm-fix-stall-on-boot.patch: attempt to fix stalls during boot (#530393)

View File

@ -107,7 +107,7 @@
+ * If we have either disabled exec-shield on the boot command line, + * If we have either disabled exec-shield on the boot command line,
+ * or we have NX, then we don't need to do this. + * or we have NX, then we don't need to do this.
+ */ + */
+ if (exec_shield != 0) { + if (!disable_nx) {
+#ifdef CONFIG_X86_PAE +#ifdef CONFIG_X86_PAE
+ if (!test_cpu_cap(c, X86_FEATURE_NX)) + if (!test_cpu_cap(c, X86_FEATURE_NX))
+#endif +#endif
@ -371,19 +371,20 @@
#include <linux/spinlock.h> #include <linux/spinlock.h>
#include <linux/errno.h> #include <linux/errno.h>
#include <linux/init.h> #include <linux/init.h>
@@ -23,6 +24,7 @@ static int __init noexec_setup(char *str) @@ -6,7 +6,7 @@
disable_nx = 0; #include <asm/pgtable.h>
} else if (!strncmp(str, "off", 3)) { #include <asm/proto.h>
disable_nx = 1;
+ exec_shield = 0; -static int disable_nx __cpuinitdata;
} +int disable_nx __cpuinitdata;
x86_configure_nx();
return 0; /*
* noexec = on|off
@@ -40,6 +42,10 @@ void __cpuinit x86_configure_nx(void) @@ -40,6 +42,10 @@ void __cpuinit x86_configure_nx(void)
void __init x86_report_nx(void) void __init x86_report_nx(void)
{ {
if (!cpu_has_nx) { if (!cpu_has_nx) {
+ if (exec_shield) + if (disable_nx)
+ printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n"); + printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n");
+ else + else
+ +
@ -461,7 +462,7 @@
+ * Turn off the CS limit completely if exec-shield disabled or + * Turn off the CS limit completely if exec-shield disabled or
+ * NX active: + * NX active:
+ */ + */
+ if (!exec_shield || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX)) + if (disable_nx || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
+ arch_add_exec_range(current->mm, -1); + arch_add_exec_range(current->mm, -1);
+#endif +#endif
+ +
@ -474,49 +475,12 @@
struct fs_struct; struct fs_struct;
struct perf_event_context; struct perf_event_context;
+extern int exec_shield; +extern int disable_nx;
+extern int print_fatal_signals; +extern int print_fatal_signals;
+ +
/* /*
* List of flags we want to share for kernel threads, * List of flags we want to share for kernel threads,
* if only because they are not used by them anyway. * if only because they are not used by them anyway.
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -101,6 +101,17 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
#ifndef CONFIG_MMU
extern int sysctl_nr_trim_pages;
#endif
+
+int exec_shield = 1;
+
+static int __init setup_exec_shield(char *str)
+{
+ get_option(&str, &exec_shield);
+
+ return 1;
+}
+__setup("exec-shield=", setup_exec_shield);
+
#ifdef CONFIG_BLOCK
extern int blk_iopoll_enabled;
#endif
@@ -428,6 +448,16 @@ static struct ctl_table kern_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec,
},
+#ifdef CONFIG_X86_32
+ {
+ .procname = "exec-shield",
+ .data = &exec_shield,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
+#endif
+
#ifdef CONFIG_PROC_SYSCTL
{
.procname = "tainted",
--- b/mm/mmap.c --- b/mm/mmap.c
+++ b/mm/mmap.c +++ b/mm/mmap.c
@@ -44,6 +45,18 @@ @@ -44,6 +45,18 @@