diff options
| author | Kees Cook <kees.cook@canonical.com> | 2010-05-25 09:51:25 -0700 |
|---|---|---|
| committer | Leann Ogasawara <leann.ogasawara@canonical.com> | 2010-08-20 15:58:56 -0700 |
| commit | 5acb3100199f6b3c4d7e36d7906a2ef010c0e52c (patch) | |
| tree | 08a9c8d2fed44ee0fe9edd99bd0a15b8f3b4363e /kernel | |
| parent | e49ecac828684642be1f3c6ebf9d43a4220c1d6d (diff) | |
UBUNTU: SAUCE: x86: implement cs-limit nx-emulation for ia32
OriginalAuthor: Kyle McMartin <kyle@redhat.com>, Dave Jones <djones@redhat.com>, Solar Designer <solar at openwall.com>
OriginalLocation: http://cvs.fedoraproject.org/viewvc/devel/kernel/linux-2.6-execshield.patch?view=log
Bug: #369978
This is a refresh from version 1.117 as carried by the Fedora Project.
Implements NX emulation via CS-limits. It closes a gap in security
protections on ia32 kernels without PAE, and for ia32 hardware that
lacks the NX feature.
Upstream feels this NX emulation is not appropriate for mainline, and
as such, RedHat and others have carried it in their kernels for a long
time now.
Also reference https://blueprints.edge.launchpad.net/ubuntu/+spec/use-pae-when-possible
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/sysctl.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index d24f761f4876..fdb581b5a0c6 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -101,6 +101,26 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max; #ifndef CONFIG_MMU extern int sysctl_nr_trim_pages; #endif + +int exec_shield = (1<<0); +/* exec_shield is a bitmask: + * 0: off; vdso at STACK_TOP, 1 page below TASK_SIZE + * (1<<0) 1: on [also on if !=0] + * (1<<1) 2: force noexecstack regardless of PT_GNU_STACK + * The old settings + * (1<<2) 4: vdso just below .text of main (unless too low) + * (1<<3) 8: vdso just below .text of PT_INTERP (unless too low) + * are ignored because the vdso is placed completely randomly + */ + +static int __init setup_exec_shield(char *str) +{ + get_option(&str, &exec_shield); + + return 1; +} +__setup("exec-shield=", setup_exec_shield); + #ifdef CONFIG_BLOCK extern int blk_iopoll_enabled; #endif @@ -428,6 +448,14 @@ static struct ctl_table kern_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, + { + .procname = "exec-shield", + .data = &exec_shield, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = &proc_dointvec, + }, + #ifdef CONFIG_PROC_SYSCTL { .procname = "tainted", |