diff options
Diffstat (limited to '2.6.39/4421_remove-legacy-pax-ei.patch')
| -rw-r--r-- | 2.6.39/4421_remove-legacy-pax-ei.patch | 191 |
1 files changed, 0 insertions, 191 deletions
diff --git a/2.6.39/4421_remove-legacy-pax-ei.patch b/2.6.39/4421_remove-legacy-pax-ei.patch deleted file mode 100644 index 1e5db3a..0000000 --- a/2.6.39/4421_remove-legacy-pax-ei.patch +++ /dev/null @@ -1,191 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> - -This patch removes all references to legacy EI_PAX markings -in favor of PT_PAX. It should be applied immediately after -the grsecurity patch. - -diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c ---- a/fs/binfmt_elf.c 2011-07-30 06:31:54.000000000 -0400 -+++ b/fs/binfmt_elf.c 2011-07-30 06:36:36.000000000 -0400 -@@ -553,7 +553,7 @@ - return error; - } - --#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE) -+#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE) - static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata) - { - unsigned long pax_flags = 0UL; -@@ -639,50 +639,7 @@ - } - #endif - --#ifdef CONFIG_PAX_EI_PAX --static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex) --{ -- unsigned long pax_flags = 0UL; -- --#ifdef CONFIG_PAX_PAGEEXEC -- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC)) -- pax_flags |= MF_PAX_PAGEEXEC; --#endif -- --#ifdef CONFIG_PAX_SEGMEXEC -- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC)) -- pax_flags |= MF_PAX_SEGMEXEC; --#endif -- --#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) -- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { -- if ((__supported_pte_mask & _PAGE_NX)) -- pax_flags &= ~MF_PAX_SEGMEXEC; -- else -- pax_flags &= ~MF_PAX_PAGEEXEC; -- } --#endif -- --#ifdef CONFIG_PAX_EMUTRAMP -- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP)) -- pax_flags |= MF_PAX_EMUTRAMP; --#endif -- --#ifdef CONFIG_PAX_MPROTECT -- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT)) -- pax_flags |= MF_PAX_MPROTECT; --#endif -- --#ifdef CONFIG_PAX_ASLR -- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP)) -- pax_flags |= MF_PAX_RANDMMAP; --#endif -- -- return pax_flags; --} --#endif -- --#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) -+#if defined(CONFIG_PAX_PT_PAX_FLAGS) - static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata) - { - unsigned long pax_flags = 0UL; -@@ -692,10 +649,6 @@ - int found_flags = 0; - #endif - --#ifdef CONFIG_PAX_EI_PAX -- pax_flags = pax_parse_ei_pax(elf_ex); --#endif -- - #ifdef CONFIG_PAX_PT_PAX_FLAGS - for (i = 0UL; i < elf_ex->e_phnum; i++) - if (elf_phdata[i].p_type == PT_PAX_FLAGS) { -@@ -718,7 +671,7 @@ - } - #endif - --#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS) -+#if defined(CONFIG_PAX_PT_PAX_FLAGS) - if (found_flags == 0) { - struct elf_phdr phdr; - memset(&phdr, 0, sizeof(phdr)); -@@ -951,7 +904,7 @@ - - current->mm->def_flags = 0; - --#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) -+#if defined(CONFIG_PAX_PT_PAX_FLAGS) - if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) { - send_sig(SIGKILL, current, 0); - goto out_free_dentry; -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-07-30 06:31:55.000000000 -0400 -+++ b/grsecurity/Kconfig 2011-07-30 06:37:18.000000000 -0400 -@@ -49,7 +49,6 @@ - config GRKERNSEC_MEDIUM - bool "Medium" - select PAX -- select PAX_EI_PAX - select PAX_PT_PAX_FLAGS - select PAX_HAVE_ACL_FLAGS - select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -@@ -147,7 +146,6 @@ - select PAX_RANDMMAP - select PAX_NOEXEC - select PAX_MPROTECT -- select PAX_EI_PAX - select PAX_PT_PAX_FLAGS - select PAX_HAVE_ACL_FLAGS - select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h ---- a/include/linux/grsecurity.h 2011-07-30 06:31:55.000000000 -0400 -+++ b/include/linux/grsecurity.h 2011-07-30 06:39:52.000000000 -0400 -@@ -10,11 +10,11 @@ - #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) - #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled." - #endif --#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) --#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS) -+#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled." - #endif --#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) --#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." -+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS) -+#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled." - #endif - #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP) - #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled." -diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h ---- a/include/linux/mm_types.h 2011-07-30 06:31:55.000000000 -0400 -+++ b/include/linux/mm_types.h 2011-07-30 06:38:43.000000000 -0400 -@@ -320,7 +320,7 @@ - pgtable_t pmd_huge_pte; /* protected by page_table_lock */ - #endif - --#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) -+#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) - unsigned long pax_flags; - #endif - -diff a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-07-30 06:31:56.000000000 -0400 -+++ b/security/Kconfig 2011-07-30 06:40:40.000000000 -0400 -@@ -48,20 +48,6 @@ - line option on boot. Furthermore you can control various PaX features - at runtime via the entries in /proc/sys/kernel/pax. - --config PAX_EI_PAX -- bool 'Use legacy ELF header marking' -- help -- Enabling this option will allow you to control PaX features on -- a per executable basis via the 'chpax' utility available at -- http://pax.grsecurity.net/. The control flags will be read from -- an otherwise reserved part of the ELF header. This marking has -- numerous drawbacks (no support for soft-mode, toolchain does not -- know about the non-standard use of the ELF header) therefore it -- has been deprecated in favour of PT_PAX_FLAGS support. -- -- Note that if you enable PT_PAX_FLAGS marking support as well, -- the PT_PAX_FLAG marks will override the legacy EI_PAX marks. -- - config PAX_PT_PAX_FLAGS - bool 'Use ELF program header marking' - help -@@ -110,7 +96,7 @@ - - config PAX_NOEXEC - bool "Enforce non-executable pages" -- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86) -+ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86) - help - By design some architectures do not allow for protecting memory - pages against execution or even if they do, Linux does not make -@@ -356,7 +342,7 @@ - - config PAX_ASLR - bool "Address Space Layout Randomization" -- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS -+ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS - help - Many if not most exploit techniques rely on the knowledge of - certain addresses in the attacked program. The following options |