Remove the execshield boot parameter.
Based on a patch from Kees Cook
This commit is contained in:
parent
a8df49e8a4
commit
55f50f1d14
@ -1876,6 +1876,10 @@ fi
|
|||||||
# || ||
|
# || ||
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Sep 03 2010 Dave Jones <davej@redhat.com>
|
||||||
|
- Remove the execshield boot parameter.
|
||||||
|
Based on a patch from Kees Cook
|
||||||
|
|
||||||
* Thu Sep 02 2010 Chuck Ebbert <cebbert@redhat.com> - 2.6.36-0.15.rc3.git0
|
* Thu Sep 02 2010 Chuck Ebbert <cebbert@redhat.com> - 2.6.36-0.15.rc3.git0
|
||||||
- Add patch from ALSA mailing list to try to fix bug #628404
|
- Add patch from ALSA mailing list to try to fix bug #628404
|
||||||
- tpm-fix-stall-on-boot.patch: attempt to fix stalls during boot (#530393)
|
- tpm-fix-stall-on-boot.patch: attempt to fix stalls during boot (#530393)
|
||||||
|
@ -107,7 +107,7 @@
|
|||||||
+ * If we have either disabled exec-shield on the boot command line,
|
+ * If we have either disabled exec-shield on the boot command line,
|
||||||
+ * or we have NX, then we don't need to do this.
|
+ * or we have NX, then we don't need to do this.
|
||||||
+ */
|
+ */
|
||||||
+ if (exec_shield != 0) {
|
+ if (!disable_nx) {
|
||||||
+#ifdef CONFIG_X86_PAE
|
+#ifdef CONFIG_X86_PAE
|
||||||
+ if (!test_cpu_cap(c, X86_FEATURE_NX))
|
+ if (!test_cpu_cap(c, X86_FEATURE_NX))
|
||||||
+#endif
|
+#endif
|
||||||
@ -371,19 +371,20 @@
|
|||||||
#include <linux/spinlock.h>
|
#include <linux/spinlock.h>
|
||||||
#include <linux/errno.h>
|
#include <linux/errno.h>
|
||||||
#include <linux/init.h>
|
#include <linux/init.h>
|
||||||
@@ -23,6 +24,7 @@ static int __init noexec_setup(char *str)
|
@@ -6,7 +6,7 @@
|
||||||
disable_nx = 0;
|
#include <asm/pgtable.h>
|
||||||
} else if (!strncmp(str, "off", 3)) {
|
#include <asm/proto.h>
|
||||||
disable_nx = 1;
|
|
||||||
+ exec_shield = 0;
|
-static int disable_nx __cpuinitdata;
|
||||||
}
|
+int disable_nx __cpuinitdata;
|
||||||
x86_configure_nx();
|
|
||||||
return 0;
|
/*
|
||||||
|
* noexec = on|off
|
||||||
@@ -40,6 +42,10 @@ void __cpuinit x86_configure_nx(void)
|
@@ -40,6 +42,10 @@ void __cpuinit x86_configure_nx(void)
|
||||||
void __init x86_report_nx(void)
|
void __init x86_report_nx(void)
|
||||||
{
|
{
|
||||||
if (!cpu_has_nx) {
|
if (!cpu_has_nx) {
|
||||||
+ if (exec_shield)
|
+ if (disable_nx)
|
||||||
+ printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n");
|
+ printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n");
|
||||||
+ else
|
+ else
|
||||||
+
|
+
|
||||||
@ -461,7 +462,7 @@
|
|||||||
+ * Turn off the CS limit completely if exec-shield disabled or
|
+ * Turn off the CS limit completely if exec-shield disabled or
|
||||||
+ * NX active:
|
+ * NX active:
|
||||||
+ */
|
+ */
|
||||||
+ if (!exec_shield || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
|
+ if (disable_nx || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
|
||||||
+ arch_add_exec_range(current->mm, -1);
|
+ arch_add_exec_range(current->mm, -1);
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
@ -474,49 +475,12 @@
|
|||||||
struct fs_struct;
|
struct fs_struct;
|
||||||
struct perf_event_context;
|
struct perf_event_context;
|
||||||
|
|
||||||
+extern int exec_shield;
|
+extern int disable_nx;
|
||||||
+extern int print_fatal_signals;
|
+extern int print_fatal_signals;
|
||||||
+
|
+
|
||||||
/*
|
/*
|
||||||
* List of flags we want to share for kernel threads,
|
* List of flags we want to share for kernel threads,
|
||||||
* if only because they are not used by them anyway.
|
* if only because they are not used by them anyway.
|
||||||
--- a/kernel/sysctl.c
|
|
||||||
+++ b/kernel/sysctl.c
|
|
||||||
@@ -101,6 +101,17 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
|
|
||||||
#ifndef CONFIG_MMU
|
|
||||||
extern int sysctl_nr_trim_pages;
|
|
||||||
#endif
|
|
||||||
+
|
|
||||||
+int exec_shield = 1;
|
|
||||||
+
|
|
||||||
+static int __init setup_exec_shield(char *str)
|
|
||||||
+{
|
|
||||||
+ get_option(&str, &exec_shield);
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+__setup("exec-shield=", setup_exec_shield);
|
|
||||||
+
|
|
||||||
#ifdef CONFIG_BLOCK
|
|
||||||
extern int blk_iopoll_enabled;
|
|
||||||
#endif
|
|
||||||
@@ -428,6 +448,16 @@ static struct ctl_table kern_table[] = {
|
|
||||||
.mode = 0644,
|
|
||||||
.proc_handler = proc_dointvec,
|
|
||||||
},
|
|
||||||
+#ifdef CONFIG_X86_32
|
|
||||||
+ {
|
|
||||||
+ .procname = "exec-shield",
|
|
||||||
+ .data = &exec_shield,
|
|
||||||
+ .maxlen = sizeof(int),
|
|
||||||
+ .mode = 0644,
|
|
||||||
+ .proc_handler = &proc_dointvec,
|
|
||||||
+ },
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#ifdef CONFIG_PROC_SYSCTL
|
|
||||||
{
|
|
||||||
.procname = "tainted",
|
|
||||||
--- b/mm/mmap.c
|
--- b/mm/mmap.c
|
||||||
+++ b/mm/mmap.c
|
+++ b/mm/mmap.c
|
||||||
@@ -44,6 +45,18 @@
|
@@ -44,6 +45,18 @@
|
||||||
|
Loading…
Reference in New Issue
Block a user