summaryrefslogtreecommitdiff
blob: fe3cdd475c8b4bb462360d469307b8420d1b1cbe (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
--- a/fs/binfmt_elf.c	2011-07-30 06:31:54.000000000 -0400
+++ b/fs/binfmt_elf.c	2011-07-30 06:36:36.000000000 -0400
@@ -553,7 +553,7 @@
 	return error;
 }
 
-#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
+#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
 static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
 {
 	unsigned long pax_flags = 0UL;
@@ -639,50 +639,7 @@
 }
 #endif
 
-#ifdef CONFIG_PAX_EI_PAX
-static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
-{
-	unsigned long pax_flags = 0UL;
-
-#ifdef CONFIG_PAX_PAGEEXEC
-	if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
-		pax_flags |= MF_PAX_PAGEEXEC;
-#endif
-
-#ifdef CONFIG_PAX_SEGMEXEC
-	if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
-		pax_flags |= MF_PAX_SEGMEXEC;
-#endif
-
-#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
-	if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
-		if ((__supported_pte_mask & _PAGE_NX))
-			pax_flags &= ~MF_PAX_SEGMEXEC;
-		else
-			pax_flags &= ~MF_PAX_PAGEEXEC;
-	}
-#endif
-
-#ifdef CONFIG_PAX_EMUTRAMP
-	if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
-		pax_flags |= MF_PAX_EMUTRAMP;
-#endif
-
-#ifdef CONFIG_PAX_MPROTECT
-	if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
-		pax_flags |= MF_PAX_MPROTECT;
-#endif
-
-#ifdef CONFIG_PAX_ASLR
-	if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
-		pax_flags |= MF_PAX_RANDMMAP;
-#endif
-
-	return pax_flags;
-}
-#endif
-
-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
 static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
 {
 	unsigned long pax_flags = 0UL;
@@ -692,10 +649,6 @@
 	int found_flags = 0;
 #endif
 
-#ifdef CONFIG_PAX_EI_PAX
-	pax_flags = pax_parse_ei_pax(elf_ex);
-#endif
-
 #ifdef CONFIG_PAX_PT_PAX_FLAGS
 	for (i = 0UL; i < elf_ex->e_phnum; i++)
 		if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
@@ -718,7 +671,7 @@
 		}
 #endif
 
-#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
 	if (found_flags == 0) {
 		struct elf_phdr phdr;
 		memset(&phdr, 0, sizeof(phdr));
@@ -951,7 +904,7 @@
 
 	current->mm->def_flags = 0;
 
-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
 	if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
 		send_sig(SIGKILL, current, 0);
 		goto out_free_dentry;
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig	2011-07-30 06:31:55.000000000 -0400
+++ b/grsecurity/Kconfig	2011-07-30 06:37:18.000000000 -0400
@@ -49,7 +49,6 @@
 config GRKERNSEC_MEDIUM
 	bool "Medium"
 	select PAX
-	select PAX_EI_PAX
 	select PAX_PT_PAX_FLAGS
 	select PAX_HAVE_ACL_FLAGS
 	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
@@ -147,7 +146,6 @@
 	select PAX_RANDMMAP
 	select PAX_NOEXEC
 	select PAX_MPROTECT
-	select PAX_EI_PAX
 	select PAX_PT_PAX_FLAGS
 	select PAX_HAVE_ACL_FLAGS
 	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
--- a/include/linux/grsecurity.h	2011-07-30 06:31:55.000000000 -0400
+++ b/include/linux/grsecurity.h	2011-07-30 06:39:52.000000000 -0400
@@ -10,11 +10,11 @@
 #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
 #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
 #endif
-#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
-#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
+#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
 #endif
-#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
-#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
+#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
 #endif
 #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
 #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
--- a/include/linux/mm_types.h	2011-07-30 06:31:55.000000000 -0400
+++ b/include/linux/mm_types.h	2011-07-30 06:38:43.000000000 -0400
@@ -320,7 +320,7 @@
 	pgtable_t pmd_huge_pte; /* protected by page_table_lock */
 #endif
 
-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
+#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
 	unsigned long pax_flags;
 #endif
 
diff a/security/Kconfig b/security/Kconfig
--- a/security/Kconfig	2011-07-30 06:31:56.000000000 -0400
+++ b/security/Kconfig	2011-07-30 06:40:40.000000000 -0400
@@ -48,20 +48,6 @@
 	  line option on boot.  Furthermore you can control various PaX features
 	  at runtime via the entries in /proc/sys/kernel/pax.
 
-config PAX_EI_PAX
-	bool 'Use legacy ELF header marking'
-	help
-	  Enabling this option will allow you to control PaX features on
-	  a per executable basis via the 'chpax' utility available at
-	  http://pax.grsecurity.net/.  The control flags will be read from
-	  an otherwise reserved part of the ELF header.  This marking has
-	  numerous drawbacks (no support for soft-mode, toolchain does not
-	  know about the non-standard use of the ELF header) therefore it
-	  has been deprecated in favour of PT_PAX_FLAGS support.
-
-	  Note that if you enable PT_PAX_FLAGS marking support as well,
-	  the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
-
 config PAX_PT_PAX_FLAGS
 	bool 'Use ELF program header marking'
 	help
@@ -110,7 +96,7 @@
 
 config PAX_NOEXEC
 	bool "Enforce non-executable pages"
-	depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
+	depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
 	help
 	  By design some architectures do not allow for protecting memory
 	  pages against execution or even if they do, Linux does not make
@@ -356,7 +342,7 @@
 
 config PAX_ASLR
 	bool "Address Space Layout Randomization"
-	depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
+	depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
 	help
 	  Many if not most exploit techniques rely on the knowledge of
 	  certain addresses in the attacked program.  The following options