summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '4.9.23/4426_default_XATTR_PAX_FLAGS.patch')
-rw-r--r--4.9.23/4426_default_XATTR_PAX_FLAGS.patch36
1 files changed, 36 insertions, 0 deletions
diff --git a/4.9.23/4426_default_XATTR_PAX_FLAGS.patch b/4.9.23/4426_default_XATTR_PAX_FLAGS.patch
new file mode 100644
index 0000000..f7e97b5
--- /dev/null
+++ b/4.9.23/4426_default_XATTR_PAX_FLAGS.patch
@@ -0,0 +1,36 @@
+diff -Naur linux-4.8.15-hardened-r1.orig/security/Kconfig linux-4.8.15-hardened-r1/security/Kconfig
+--- linux-4.8.15-hardened-r1.orig/security/Kconfig 2017-01-01 12:10:19.638828792 -0500
++++ linux-4.8.15-hardened-r1/security/Kconfig 2017-01-01 12:14:05.434836657 -0500
+@@ -293,7 +293,7 @@
+
+ config PAX_PT_PAX_FLAGS
+ bool 'Use ELF program header marking'
+- default y if GRKERNSEC_CONFIG_AUTO
++ default n
+ help
+ Enabling this option will allow you to control PaX features on
+ a per executable basis via the 'paxctl' utility available at
+@@ -312,9 +312,12 @@
+ If you enable none of the marking options then all applications
+ will run with PaX enabled on them by default.
+
++ Note for Gentoo: PT_PAX_FLAGS has been deprecated in Gentoo. Enable
++ this only for legacy systems.
++
+ config PAX_XATTR_PAX_FLAGS
+ bool 'Use filesystem extended attributes marking'
+- default y if GRKERNSEC_CONFIG_AUTO
++ default y
+ select CIFS_XATTR if CIFS
+ select EXT2_FS_XATTR if EXT2_FS
+ select EXT3_FS_XATTR if EXT3_FS
+@@ -343,6 +346,9 @@
+ If you enable none of the marking options then all applications
+ will run with PaX enabled on them by default.
+
++ Note for Gentoo: XATTR_PAX_FLAGS is now the default in Gentoo. Do
++ not disable this unless you know what you're doing.
++
+ choice
+ prompt 'MAC system integration'
+ default PAX_HAVE_ACL_FLAGS