[kernel] Remove the execshield boot parameter. Based on a patch from Kees Cook
Dave Jones
davej at fedoraproject.org
Fri Sep 3 15:22:23 UTC 2010
commit 55f50f1d146b2f5d524952234ef1673f196a3b60
Author: Dave Jones <davej at redhat.com>
Date: Fri Sep 3 11:22:06 2010 -0400
Remove the execshield boot parameter.
Based on a patch from Kees Cook
kernel.spec | 4 ++
linux-2.6-i386-nx-emulation.patch | 62 ++++++++-----------------------------
2 files changed, 17 insertions(+), 49 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 144ac18..8342c4a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -1876,6 +1876,10 @@ fi
# || ||
%changelog
+* Fri Sep 03 2010 Dave Jones <davej at redhat.com>
+- Remove the execshield boot parameter.
+ Based on a patch from Kees Cook
+
* Thu Sep 02 2010 Chuck Ebbert <cebbert at redhat.com> - 2.6.36-0.15.rc3.git0
- Add patch from ALSA mailing list to try to fix bug #628404
- tpm-fix-stall-on-boot.patch: attempt to fix stalls during boot (#530393)
diff --git a/linux-2.6-i386-nx-emulation.patch b/linux-2.6-i386-nx-emulation.patch
index 224fe05..2ea7645 100644
--- a/linux-2.6-i386-nx-emulation.patch
+++ b/linux-2.6-i386-nx-emulation.patch
@@ -107,7 +107,7 @@
+ * If we have either disabled exec-shield on the boot command line,
+ * or we have NX, then we don't need to do this.
+ */
-+ if (exec_shield != 0) {
++ if (!disable_nx) {
+#ifdef CONFIG_X86_PAE
+ if (!test_cpu_cap(c, X86_FEATURE_NX))
+#endif
@@ -371,19 +371,20 @@
#include <linux/spinlock.h>
#include <linux/errno.h>
#include <linux/init.h>
-@@ -23,6 +24,7 @@ static int __init noexec_setup(char *str)
- disable_nx = 0;
- } else if (!strncmp(str, "off", 3)) {
- disable_nx = 1;
-+ exec_shield = 0;
- }
- x86_configure_nx();
- return 0;
+@@ -6,7 +6,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/proto.h>
+
+-static int disable_nx __cpuinitdata;
++int disable_nx __cpuinitdata;
+
+ /*
+ * noexec = on|off
@@ -40,6 +42,10 @@ void __cpuinit x86_configure_nx(void)
void __init x86_report_nx(void)
{
if (!cpu_has_nx) {
-+ if (exec_shield)
++ if (disable_nx)
+ printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n");
+ else
+
@@ -461,7 +462,7 @@
+ * Turn off the CS limit completely if exec-shield disabled or
+ * NX active:
+ */
-+ if (!exec_shield || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
++ if (disable_nx || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
+ arch_add_exec_range(current->mm, -1);
+#endif
+
@@ -474,49 +475,12 @@
struct fs_struct;
struct perf_event_context;
-+extern int exec_shield;
++extern int disable_nx;
+extern int print_fatal_signals;
+
/*
* List of flags we want to share for kernel threads,
* if only because they are not used by them anyway.
---- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -101,6 +101,17 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
- #ifndef CONFIG_MMU
- extern int sysctl_nr_trim_pages;
- #endif
-+
-+int exec_shield = 1;
-+
-+static int __init setup_exec_shield(char *str)
-+{
-+ get_option(&str, &exec_shield);
-+
-+ return 1;
-+}
-+__setup("exec-shield=", setup_exec_shield);
-+
- #ifdef CONFIG_BLOCK
- extern int blk_iopoll_enabled;
- #endif
-@@ -428,6 +448,16 @@ static struct ctl_table kern_table[] = {
- .mode = 0644,
- .proc_handler = proc_dointvec,
- },
-+#ifdef CONFIG_X86_32
-+ {
-+ .procname = "exec-shield",
-+ .data = &exec_shield,
-+ .maxlen = sizeof(int),
-+ .mode = 0644,
-+ .proc_handler = &proc_dointvec,
-+ },
-+#endif
-+
- #ifdef CONFIG_PROC_SYSCTL
- {
- .procname = "tainted",
--- b/mm/mmap.c
+++ b/mm/mmap.c
@@ -44,6 +45,18 @@
More information about the scm-commits
mailing list