summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '2.6.39/4421_remove-legacy-pax-ei.patch')
-rw-r--r--2.6.39/4421_remove-legacy-pax-ei.patch191
1 files changed, 0 insertions, 191 deletions
diff --git a/2.6.39/4421_remove-legacy-pax-ei.patch b/2.6.39/4421_remove-legacy-pax-ei.patch
deleted file mode 100644
index 1e5db3a..0000000
--- a/2.6.39/4421_remove-legacy-pax-ei.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-This patch removes all references to legacy EI_PAX markings
-in favor of PT_PAX. It should be applied immediately after
-the grsecurity patch.
-
-diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
---- a/fs/binfmt_elf.c 2011-07-30 06:31:54.000000000 -0400
-+++ b/fs/binfmt_elf.c 2011-07-30 06:36:36.000000000 -0400
-@@ -553,7 +553,7 @@
- return error;
- }
-
--#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
-+#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
- static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
- {
- unsigned long pax_flags = 0UL;
-@@ -639,50 +639,7 @@
- }
- #endif
-
--#ifdef CONFIG_PAX_EI_PAX
--static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
--{
-- unsigned long pax_flags = 0UL;
--
--#ifdef CONFIG_PAX_PAGEEXEC
-- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
-- pax_flags |= MF_PAX_PAGEEXEC;
--#endif
--
--#ifdef CONFIG_PAX_SEGMEXEC
-- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
-- pax_flags |= MF_PAX_SEGMEXEC;
--#endif
--
--#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
-- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
-- if ((__supported_pte_mask & _PAGE_NX))
-- pax_flags &= ~MF_PAX_SEGMEXEC;
-- else
-- pax_flags &= ~MF_PAX_PAGEEXEC;
-- }
--#endif
--
--#ifdef CONFIG_PAX_EMUTRAMP
-- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
-- pax_flags |= MF_PAX_EMUTRAMP;
--#endif
--
--#ifdef CONFIG_PAX_MPROTECT
-- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
-- pax_flags |= MF_PAX_MPROTECT;
--#endif
--
--#ifdef CONFIG_PAX_ASLR
-- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
-- pax_flags |= MF_PAX_RANDMMAP;
--#endif
--
-- return pax_flags;
--}
--#endif
--
--#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
- static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
- {
- unsigned long pax_flags = 0UL;
-@@ -692,10 +649,6 @@
- int found_flags = 0;
- #endif
-
--#ifdef CONFIG_PAX_EI_PAX
-- pax_flags = pax_parse_ei_pax(elf_ex);
--#endif
--
- #ifdef CONFIG_PAX_PT_PAX_FLAGS
- for (i = 0UL; i < elf_ex->e_phnum; i++)
- if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
-@@ -718,7 +671,7 @@
- }
- #endif
-
--#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
- if (found_flags == 0) {
- struct elf_phdr phdr;
- memset(&phdr, 0, sizeof(phdr));
-@@ -951,7 +904,7 @@
-
- current->mm->def_flags = 0;
-
--#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
- if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
- send_sig(SIGKILL, current, 0);
- goto out_free_dentry;
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-07-30 06:31:55.000000000 -0400
-+++ b/grsecurity/Kconfig 2011-07-30 06:37:18.000000000 -0400
-@@ -49,7 +49,6 @@
- config GRKERNSEC_MEDIUM
- bool "Medium"
- select PAX
-- select PAX_EI_PAX
- select PAX_PT_PAX_FLAGS
- select PAX_HAVE_ACL_FLAGS
- select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-@@ -147,7 +146,6 @@
- select PAX_RANDMMAP
- select PAX_NOEXEC
- select PAX_MPROTECT
-- select PAX_EI_PAX
- select PAX_PT_PAX_FLAGS
- select PAX_HAVE_ACL_FLAGS
- select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
---- a/include/linux/grsecurity.h 2011-07-30 06:31:55.000000000 -0400
-+++ b/include/linux/grsecurity.h 2011-07-30 06:39:52.000000000 -0400
-@@ -10,11 +10,11 @@
- #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
- #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
- #endif
--#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
--#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
- #endif
--#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
--#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
- #endif
- #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
- #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
-diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
---- a/include/linux/mm_types.h 2011-07-30 06:31:55.000000000 -0400
-+++ b/include/linux/mm_types.h 2011-07-30 06:38:43.000000000 -0400
-@@ -320,7 +320,7 @@
- pgtable_t pmd_huge_pte; /* protected by page_table_lock */
- #endif
-
--#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
-+#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
- unsigned long pax_flags;
- #endif
-
-diff a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-07-30 06:31:56.000000000 -0400
-+++ b/security/Kconfig 2011-07-30 06:40:40.000000000 -0400
-@@ -48,20 +48,6 @@
- line option on boot. Furthermore you can control various PaX features
- at runtime via the entries in /proc/sys/kernel/pax.
-
--config PAX_EI_PAX
-- bool 'Use legacy ELF header marking'
-- help
-- Enabling this option will allow you to control PaX features on
-- a per executable basis via the 'chpax' utility available at
-- http://pax.grsecurity.net/. The control flags will be read from
-- an otherwise reserved part of the ELF header. This marking has
-- numerous drawbacks (no support for soft-mode, toolchain does not
-- know about the non-standard use of the ELF header) therefore it
-- has been deprecated in favour of PT_PAX_FLAGS support.
--
-- Note that if you enable PT_PAX_FLAGS marking support as well,
-- the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
--
- config PAX_PT_PAX_FLAGS
- bool 'Use ELF program header marking'
- help
-@@ -110,7 +96,7 @@
-
- config PAX_NOEXEC
- bool "Enforce non-executable pages"
-- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
-+ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
- help
- By design some architectures do not allow for protecting memory
- pages against execution or even if they do, Linux does not make
-@@ -356,7 +342,7 @@
-
- config PAX_ASLR
- bool "Address Space Layout Randomization"
-- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
-+ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
- help
- Many if not most exploit techniques rely on the knowledge of
- certain addresses in the attacked program. The following options