summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-07-11 19:42:04 -0400
committerAnthony G. Basile <blueness@gentoo.org>2013-07-11 19:42:04 -0400
commitdf4440f92d0f8572c9c728e125ccf97ee6169e80 (patch)
treea12e1438caeb3514cbc8e54e811cce5bd2908ce8 /3.10.0/4470_disable-compat_vdso.patch
parentGrsec/PaX: 2.9.1-{2.6.32.61,3.2.47,3.9.9}-201307050017 (diff)
downloadhardened-patchset-20130709.tar.gz
hardened-patchset-20130709.tar.bz2
hardened-patchset-20130709.zip
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.48.3.10.0}-20130709222420130709
Diffstat (limited to '3.10.0/4470_disable-compat_vdso.patch')
-rw-r--r--3.10.0/4470_disable-compat_vdso.patch46
1 files changed, 46 insertions, 0 deletions
diff --git a/3.10.0/4470_disable-compat_vdso.patch b/3.10.0/4470_disable-compat_vdso.patch
new file mode 100644
index 0000000..424d91f
--- /dev/null
+++ b/3.10.0/4470_disable-compat_vdso.patch
@@ -0,0 +1,46 @@
+No need to wrap vdso calls as gentoo does not use any version of
+glibc <=2.3.3
+---
+From: Gordon Malm <gengor@gentoo.org>
+From: Kerin Millar <kerframil@gmail.com>
+From: Jory A. Pratt <anarchy@gentoo.org>
+
+COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
+conflicts with various parts of PaX, crashing the system if enabled
+while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
+a number of important PaX options from appearing in the configuration
+menu, including all PaX NOEXEC implementations. Unfortunately, the
+reason for the disappearance of these PaX configuration options is
+often far from obvious to inexperienced users.
+
+Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
+COMPAT_VDSO operation can still be enabled via bootparam and sysctl
+interfaces. Consequently, we must also disable the ability to select
+COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
+that selecting COMPAT_VDSO operation at boot/runtime has no effect if
+conflicting PaX options are enabled, leaving VDSO_ENABLED operation
+intact.
+
+Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
+
+diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
+--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
++++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
+@@ -1786,17 +1786,8 @@
+
+ config COMPAT_VDSO
+ def_bool n
+- prompt "Compat VDSO support"
+ depends on X86_32 || IA32_EMULATION
+ depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
+- ---help---
+- Map the 32-bit VDSO to the predictable old-style address too.
+-
+- Say N here if you are running a sufficiently recent glibc
+- version (2.3.3 or later), to remove the high-mapped
+- VDSO mapping and to exclusively use the randomized VDSO.
+-
+- If unsure, say Y.
+
+ config CMDLINE_BOOL
+ bool "Built-in kernel command line"