Remove the execshield boot parameter.

Based on a patch from Kees Cook
2010-09-03 11:22:06 -04:00 · 2010-09-03 11:22:06 -04:00 · 55f50f1d14
commit 55f50f1d14
parent a8df49e8a4
2 changed files with 17 additions and 49 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -1876,6 +1876,10 @@ fi
 #                 ||     ||

 %changelog
+* Fri Sep 03 2010 Dave Jones <davej@redhat.com>
+- Remove the execshield boot parameter.
+  Based on a patch from Kees Cook
+
 * Thu Sep 02 2010 Chuck Ebbert <cebbert@redhat.com> - 2.6.36-0.15.rc3.git0
 - Add patch from ALSA mailing list to try to fix bug #628404
 - tpm-fix-stall-on-boot.patch: attempt to fix stalls during boot (#530393)
--- a/linux-2.6-i386-nx-emulation.patch
+++ b/linux-2.6-i386-nx-emulation.patch
@ -107,7 +107,7 @@
 +	 *  If we have either disabled exec-shield on the boot command line,
 +	 *  or we have NX, then we don't need to do this.
 +	 */
-+	if (exec_shield != 0) {
+	if (!disable_nx) {
 +#ifdef CONFIG_X86_PAE
 +		if (!test_cpu_cap(c, X86_FEATURE_NX))
 +#endif
@ -371,19 +371,20 @@
 #include <linux/spinlock.h>
 #include <linux/errno.h>
 #include <linux/init.h>
-@@ -23,6 +24,7 @@ static int __init noexec_setup(char *str)
- 		disable_nx = 0;
- 	} else if (!strncmp(str, "off", 3)) {
- 		disable_nx = 1;
-+		exec_shield = 0;
- 	}
- 	x86_configure_nx();
- 	return 0;
+@@ -6,7 +6,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/proto.h>
+
+-static int disable_nx __cpuinitdata;
+int disable_nx __cpuinitdata;
+
+ /*
+  * noexec = on|off
@@ -40,6 +42,10 @@ void __cpuinit x86_configure_nx(void)
 void __init x86_report_nx(void)
 {
 	if (!cpu_has_nx) {
-+		if (exec_shield)
+		if (disable_nx)
 +			printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n");
 +		else
 +
@ -461,7 +462,7 @@
 +	 * Turn off the CS limit completely if exec-shield disabled or
 +	 * NX active:
 +	 */
-+	if (!exec_shield || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
+	if (disable_nx || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
 +		arch_add_exec_range(current->mm, -1);
 +#endif
 +
@ -474,49 +475,12 @@
 struct fs_struct;
 struct perf_event_context;
 
-+extern int exec_shield;
+extern int disable_nx;
 +extern int print_fatal_signals;
 +
 /*
  * List of flags we want to share for kernel threads,
  * if only because they are not used by them anyway.
--- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -101,6 +101,17 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
- #ifndef CONFIG_MMU
- extern int sysctl_nr_trim_pages;
- #endif
-+
-+int exec_shield = 1;
-+
-+static int __init setup_exec_shield(char *str)
-+{
-+	get_option(&str, &exec_shield);
-+
-+	return 1;
-+}
-+__setup("exec-shield=", setup_exec_shield);
-+
- #ifdef CONFIG_BLOCK
- extern int blk_iopoll_enabled;
- #endif
-@@ -428,6 +448,16 @@ static struct ctl_table kern_table[] = {
- 		.mode		= 0644,
- 		.proc_handler	= proc_dointvec,
- 	},
-+#ifdef CONFIG_X86_32
-+	{
-+		.procname	= "exec-shield",
-+		.data		= &exec_shield,
-+		.maxlen		= sizeof(int),
-+		.mode		= 0644,
-+		.proc_handler	= &proc_dointvec,
-+	},
-+#endif
-+
- #ifdef CONFIG_PROC_SYSCTL
- 	{
- 		.procname	= "tainted",
 --- b/mm/mmap.c
 +++ b/mm/mmap.c
@@ -44,6 +45,18 @@