diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2017-02-25 06:57:22 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2017-02-25 06:57:22 -0500 |
commit | b29d22f84076b2b7b21dd32836b57ca262dcd8db (patch) | |
tree | a679d884201331901989ab65ec6a279cd62cbdfc /4.9.12/4475_emutramp_default_on.patch | |
parent | grsecurity-3.1-4.9.11-201702181444 (diff) | |
download | hardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.tar.gz hardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.tar.bz2 hardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.zip |
grsecurity-3.1-4.9.12-20170223183020170223
Diffstat (limited to '4.9.12/4475_emutramp_default_on.patch')
-rw-r--r-- | 4.9.12/4475_emutramp_default_on.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/4.9.12/4475_emutramp_default_on.patch b/4.9.12/4475_emutramp_default_on.patch new file mode 100644 index 0000000..feb8c7b --- /dev/null +++ b/4.9.12/4475_emutramp_default_on.patch @@ -0,0 +1,34 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines. +We default PAX_EMUTRAMP='y' since almost all hardened users will want this. + +See bug: + http://bugs.gentoo.org/show_bug.cgi?id=329499 + http://bugs.gentoo.org/show_bug.cgi?id=457194 + +diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig +--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 ++++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 +@@ -440,7 +440,7 @@ + + config PAX_EMUTRAMP + bool "Emulate trampolines" +- default y if PARISC || GRKERNSEC_CONFIG_AUTO ++ default y + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) + help + There are some programs and libraries that for one reason or +@@ -463,6 +463,12 @@ + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC + for the affected files. + ++ NOTE: Hardened Gentoo users needs this option enabled for python ++ to work properly. Without it, all python apps, including portage, ++ may fail. By default, python has CONFIG_PAX_EMUTRAMP enabled by ++ the ebuild when USE=pax_kernel is set, otherise CONFIG_PAX_PAGEEXEC ++ is enabled as a fallback. ++ + NOTE: enabling this feature *may* open up a loophole in the + protection provided by non-executable pages that an attacker + could abuse. Therefore the best solution is to not have any |