On Fri, Jun 18, 2010 at 04:00:12AM -0700, Roland McGrath wrote:
Do we care about the exec-shield=2 configuration? Does anybody use
I'd be surprised to hear that anyone changes that sysctl these days.
In the execshield patch we have in Fedora at this point, the
(exec_shield & 2) special cases are the only arch-independent
changes that are not fairly clean and isolated.
The patch puts a comment in sysctl.c about several bit flags in
exec_shield, but actually only &2 and !=0 are really meaningful
in our code. If we could get rid of exec_shield&2 then it would
be down to just exec_shield!=0 and as of now that already only
affects NX-emulation in fact.
If someone does want a behavior akin to exec_shield&2 that could
be done cleanly (and upstreamed) with a saner sysctl or two.
What it does now is a little incoherent.
Sounds like a good idea to me.