]> git.pld-linux.org Git - packages/kernel.git/blame - linux-2.4.19-grsec-1.9.7-PAX-sysctl.patch
projects / packages / kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- IT82XX seriec RAID support
[packages/kernel.git] / linux-2.4.19-grsec-1.9.7-PAX-sysctl.patch
CommitLineData
d768bd4e 1--- linux-2.4.19/kernel/sysctl.c.org Thu Sep 26 19:41:20 2002
2+++ linux-2.4.19/kernel/sysctl.c Mon Sep 30 14:21:12 2002
3@@ -285,7 +285,8 @@
4 GS_RANDSRC, GS_RANDPING, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
5 GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
6 GS_TTY, GS_TTYS, GS_PTY, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC,
7-GS_DMSG, GS_RANDRPC, GS_FINDTASK, GS_LOCK};
8+GS_DMSG, GS_RANDRPC, GS_FINDTASK, GS_PAXNOEXEC, GS_PAXPAGEEXEC, GS_PAXSEGMEXEC,
415e9df5 9+GS_PAXEMUTRAMP, GS_PAXMPROTECT, GS_PAXASLR, GS_PAXRANDEXEC, GS_LOCK};
d768bd4e 10
11 static ctl_table grsecurity_table[] = {
12 {GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler},
415e9df5 13@@ -439,6 +440,34 @@
d768bd4e 14 {GS_FINDTASK, "chroot_findtask", &grsec_enable_chroot_findtask,
15 sizeof (int), 0600, NULL, &proc_dointvec},
16 #endif
17+#ifdef CONFIG_GRKERNSEC_PAX_NOEXEC
18+ {GS_PAXNOEXEC, "pax_noexec", &grsec_pax_noexec,
19+ sizeof (int), 0600, NULL, &proc_dointvec},
20+#endif
21+#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
22+ {GS_PAXPAGEEXEC, "pax_pageexec", &grsec_pax_pageexec,
23+ sizeof (int), 0600, NULL, &proc_dointvec},
24+#endif
25+#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
26+ {GS_PAXSEGMEXEC, "pax_segmexec", &grsec_pax_segmexec,
27+ sizeof (int), 0600, NULL, &proc_dointvec},
28+#endif
29+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
30+ {GS_PAXEMUTRAMP, "pax_emutramp", &grsec_pax_emutramp,
31+ sizeof (int), 0600, NULL, &proc_dointvec},
32+#endif
33+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
34+ {GS_PAXMPROTECT, "pax_mprotect", &grsec_pax_mprotect,
35+ sizeof (int), 0600, NULL, &proc_dointvec},
415e9df5 36+#endif
37+#ifdef CONFIG_GRKERNSEC_PAX_ASLR
38+ {GS_PAXASLR, "pax_aslr", &grsec_pax_aslr,
39+ sizeof (int), 0600, NULL, &proc_dointvec},
40+#endif
41+#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
42+ {GS_PAXRANDEXEC, "pax_randexec", &grsec_pax_randexec,
43+ sizeof (int), 0600, NULL, &proc_dointvec},
d768bd4e 44+#endif
45 {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL,
46 &proc_dointvec},
47 #endif
48--- linux-2.4.19/grsecurity/grsecurity.c.org Thu Sep 26 19:41:20 2002
49+++ linux-2.4.19/grsecurity/grsecurity.c Mon Sep 30 14:10:09 2002
415e9df5 50@@ -53,6 +53,13 @@
d768bd4e 51 int grsec_enable_socket_server = 0;
52 int grsec_socket_server_gid = 0;
53 int grsec_lock = 0;
54+int grsec_pax_noexec = 0;
55+int grsec_pax_pageexec = 0;
56+int grsec_pax_segmexec = 0;
57+int grsec_pax_emutramp = 0;
58+int grsec_pax_mprotect = 0;
415e9df5 59+int grsec_pax_aslr = 0;
60+int grsec_pax_randexec = 0;
d768bd4e 61
62 /*
63 handle the variables if parts of grsecurity are configured without sysctl
415e9df5 64@@ -167,6 +172,27 @@
d768bd4e 65 grsec_enable_socket_server = 1;
66 grsec_socket_server_gid= CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
67 #endif
68+#ifdef CONFIG_GRKERNSEC_PAX_NOEXEC
69+grsec_pax_noexec = 1;
70+#endif
71+#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
72+grsec_pax_pageexec = 1;
73+#endif
74+#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
75+grsec_pax_segmexec = 1;
76+#endif
77+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
78+grsec_pax_emutramp = 1;
79+#endif
80+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
81+grsec_pax_mprotect = 1;
415e9df5 82+#endif
83+#ifdef CONFIG_GRKERNSEC_PAX_ASLR
84+grsec_pax_aslr = 1;
85+#endif
86+#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
87+grsec_pax_randexec = 1;
d768bd4e 88+#endif
89 #endif
90
91 return;
92--- linux-2.4.19/include/linux/grsecurity.h.org Fri Sep 27 03:42:07 2002
93+++ linux-2.4.19/include/linux/grsecurity.h Mon Sep 30 14:27:55 2002
415e9df5 94@@ -99,6 +99,13 @@
d768bd4e 95 extern int grsec_enable_audit_ipc;
96 extern int grsec_enable_mount;
97 extern int grsec_enable_chdir;
98+extern int grsec_pax_noexec;
99+extern int grsec_pax_pageexec;
100+extern int grsec_pax_segmexec;
101+extern int grsec_pax_emutramp;
102+extern int grsec_pax_mprotect;
415e9df5 103+extern int grsec_pax_aslr;
104+extern int grsec_pax_randexec;
d768bd4e 105 extern int grsec_lock;
106
107 extern struct task_struct *child_reaper;
415e9df5 108--- linux-2.4.19/fs/exec.c.org Tue Oct 1 08:24:12 2002
109+++ linux-2.4.19/fs/exec.c Wed Oct 2 09:11:51 2002
110@@ -281,11 +281,10 @@
111 lru_cache_add(page);
112 flush_dcache_page(page);
113 flush_page_to_ram(page);
114-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
115- if (tsk->flags & PF_PAX_PAGEEXEC)
116+if(grsec_pax_pageexec)
117+ {if (tsk->flags & PF_PAX_PAGEEXEC)
118 set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY_NOEXEC))));
119- else
120-#endif
121+ }
122 set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY))));
123 tsk->mm->rss++;
124 spin_unlock(&tsk->mm->page_table_lock);
125@@ -323,11 +322,10 @@
126 mpnt->vm_end = STACK_TOP;
127 mpnt->vm_flags = VM_STACK_FLAGS;
128
129-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
130- if (!(current->flags & PF_PAX_PAGEEXEC))
131+if(grsec_pax_pageexec)
132+ {if (!(current->flags & PF_PAX_PAGEEXEC))
133 mpnt->vm_page_prot = protection_map[(mpnt->vm_flags | VM_EXEC) & 0x0f];
134- else
135-#endif
136+ }
137 mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x0f];
138 mpnt->vm_ops = NULL;
139 mpnt->vm_pgoff = 0;
140@@ -578,29 +576,23 @@
141 }
142 current->comm[i] = '\0';
143
144-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
145+if(grsec_pax_pageexec)
146 current->flags &= ~PF_PAX_PAGEEXEC;
147-#endif
148
149-#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
150+if(grsec_pax_emutramp)
151 current->flags &= ~PF_PAX_EMUTRAMP;
152-#endif
153
154-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
155+if(grsec_pax_mprotect)
156 current->flags &= ~PF_PAX_MPROTECT;
157-#endif
158
159-#ifdef CONFIG_GRKERNSEC_PAX_ASLR
160+if(grsec_pax_aslr)
161 current->flags &= ~PF_PAX_RANDMMAP;
162-#endif
163
164-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
165+if(grsec_pax_randexec)
166 current->flags &= ~PF_PAX_RANDEXEC;
167-#endif
168
169-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
170+if(grsec_pax_segmexec)
171 current->flags &= ~PF_PAX_SEGMEXEC;
172-#endif
173
174 flush_thread();
175
176--- linux-2.4.19/fs/binfmt_elf.c.org Tue Oct 1 08:24:12 2002
177+++ linux-2.4.19/fs/binfmt_elf.c Wed Oct 2 09:23:08 2002
178@@ -447,9 +447,8 @@
179 struct exec interp_ex;
180 char passed_fileno[6];
181
182-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
183+if(grsec_pax_randexec)
184 unsigned long load_addr_random = 0UL;
185-#endif
186
187 /* Get the exec-header */
188 elf_ex = *((struct elfhdr *) bprm->buf);
189@@ -605,30 +604,30 @@
190 current->mm->end_code = 0;
191 current->mm->mmap = NULL;
192
193-#ifdef CONFIG_GRKERNSEC_PAX_ASLR
194+if(grsec_pax_aslr){
195 current->mm->delta_mmap = 0UL;
196 current->mm->delta_exec = 0UL;
197 current->mm->delta_stack = 0UL;
198-#endif
199+}
200
201 current->flags &= ~PF_FORKNOEXEC;
202
203-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
204+if(grsec_pax_pageexec){
205 if (!(elf_ex.e_flags & EF_PAX_PAGEEXEC))
206 current->flags |= PF_PAX_PAGEEXEC;
207-#endif
208+}
209
210-#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
211+if(grsec_pax_emutramp){
212 if (elf_ex.e_flags & EF_PAX_EMUTRAMP)
213 current->flags |= PF_PAX_EMUTRAMP;
214-#endif
215+}
216
217-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
218+if(grsec_pax_mprotect){
219 if (!(elf_ex.e_flags & EF_PAX_MPROTECT))
220 current->flags |= PF_PAX_MPROTECT;
221-#endif
222+}
223
224-#ifdef CONFIG_GRKERNSEC_PAX_ASLR
225+if(grsec_pax_aslr){
226 if (!(elf_ex.e_flags & EF_PAX_RANDMMAP)) {
227 unsigned long delta;
228 current->flags |= PF_PAX_RANDMMAP;
229@@ -646,27 +645,27 @@
230 current->mm->delta_stack = pax_delta_mask(delta, PAGE_SHIFT);
231 #undef pax_delta_mask
232 }
233-#endif
234+}
235
236-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
237+if(grsec_pax_segmexec){
238 if (!(elf_ex.e_flags & EF_PAX_SEGMEXEC)) {
239 current->flags &= ~PF_PAX_PAGEEXEC;
240 current->flags |= PF_PAX_SEGMEXEC;
241
242-#ifdef CONFIG_GRKERNSEC_PAX_ASLR
243+if(grsec_pax_aslr){
244 current->mm->delta_mmap &= 0x07FFFFFFUL;
245 current->mm->delta_exec &= 0x07FFFFFFUL;
246 current->mm->delta_stack &= 0x07FFFFFFUL;
247-#endif
248+ }
249
250 }
251-#endif
252+}
253
254-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
255+if(grsec_pax_randexec){
256 if ((elf_ex.e_flags & EF_PAX_RANDEXEC) && (elf_ex.e_type == ET_EXEC) &&
257 (current->flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC)))
258 current->flags |= PF_PAX_RANDEXEC;
259-#endif
260+}
261
262 elf_entry = (unsigned long) elf_ex.e_entry;
263
264@@ -733,7 +732,7 @@
265
266 }
267
268-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
269+if(grsec_pax_randexec){
270 if ((current->flags & PF_PAX_RANDEXEC) && (elf_ex.e_type == ET_EXEC)) {
271 if (current->flags & PF_PAX_PAGEEXEC)
272 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot & ~PROT_EXEC, elf_flags);
273@@ -748,7 +747,7 @@
274 /* PaX: mirror at a randomized base */
275 down_write(&current->mm->mmap_sem);
276
277-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
278+if(grsec_pax_segmexec){
279 if (current->flags & PF_PAX_SEGMEXEC) {
280 if (elf_prot & PROT_EXEC) {
281 load_addr_random = do_mmap_pgoff(NULL, 0UL, elf_ppnt->p_memsz, PROT_NONE, MAP_PRIVATE, 0UL);
282@@ -759,13 +758,13 @@
283 } else
284 load_addr_random = do_mmap_pgoff(NULL, 0UL, 0UL, elf_prot, MAP_PRIVATE | MAP_MIRROR | MAP_MIRROR2, error);
285 } else
286-#endif
287+ }
288 load_addr_random = do_mmap_pgoff(NULL, 0UL, 0UL, elf_prot, MAP_PRIVATE | MAP_MIRROR2, error);
289 up_write(&current->mm->mmap_sem);
290 if (BAD_ADDR(load_addr_random))
291 continue;
292 } else
293-#endif
294+}
295 {
296 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
297 if (BAD_ADDR(error))
298@@ -781,10 +780,9 @@
299 load_addr += load_bias;
300 }
301
302-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
303+if(grsec_pax_randexec){
304 current->mm->delta_exec = load_addr_random - load_addr;
305-#endif
306-
307+}
308 }
309 k = elf_ppnt->p_vaddr;
310 if (k < start_code) start_code = k;
311--- linux-2.4.19/fs/binfmt_aout.c.org Tue Oct 1 08:24:12 2002
312+++ linux-2.4.19/fs/binfmt_aout.c Wed Oct 2 09:25:46 2002
313@@ -315,22 +315,22 @@
314 compute_creds(bprm);
315 current->flags &= ~PF_FORKNOEXEC;
316
317-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
318+if(grsec_pax_pageexec){
319 if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
320 current->flags |= PF_PAX_PAGEEXEC;
321
322-#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
323+if(grsec_pax_emutramp){
324 if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
325 current->flags |= PF_PAX_EMUTRAMP;
326-#endif
327+ }
328
329-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
330+if(grsec_pax_mprotect){
331 if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
332 current->flags |= PF_PAX_MPROTECT;
333-#endif
334+}
335
336 }
337-#endif
338+}
339
340 #ifdef __sparc__
341 if (N_MAGIC(ex) == NMAGIC) {
342--- linux-2.4.19/mm/mprotect.c.org Tue Oct 1 08:24:13 2002
343+++ linux-2.4.19/mm/mprotect.c Wed Oct 2 09:30:47 2002
344@@ -8,10 +8,10 @@
345 #include <linux/shm.h>
346 #include <linux/mman.h>
347
348-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
349+if(grsec_pax_mprotect){
350 #include <linux/elf.h>
351 #include <linux/fs.h>
352-#endif
353+}
354
355 #include <asm/uaccess.h>
356 #include <asm/pgalloc.h>
357@@ -252,11 +252,11 @@
358 return 0;
359 }
360
361-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
362+if(grsec_pax_pageexec){
363 if (!(current->flags & PF_PAX_PAGEEXEC) && (newflags & (VM_READ|VM_WRITE)))
364 newprot = protection_map[(newflags | VM_EXEC) & 0xf];
365 else
366-#endif
367+}
368 newprot = protection_map[newflags & 0xf];
369 if (start == vma->vm_start) {
370 if (end == vma->vm_end)
371@@ -275,7 +275,7 @@
372 return 0;
373 }
374
375-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
376+if(grsec_pax_mprotect){
377 /* PaX: non-PIC ELF libraries need relocations on their executable segments
378 * therefore we'll grant them VM_MAYWRITE once during their life.
379 *
380@@ -326,9 +326,9 @@
381 } while (dyn.d_tag != DT_NULL);
382 return;
383 }
384-#endif
385+}
386
387-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
388+if(grsec_pax_segmexec){
389 static long __sys_mprotect(unsigned long start, size_t len, unsigned long prot);
390
391 asmlinkage long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
392@@ -352,9 +352,9 @@
393 }
394
395 static long __sys_mprotect(unsigned long start, size_t len, unsigned long prot)
396-#else
397+}else
398 asmlinkage long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
399-#endif
400+
401 {
402 unsigned long nstart, end, tmp;
403 struct vm_area_struct * vma, * next, * prev;
404@@ -371,19 +371,19 @@
405 if (end == start)
406 return 0;
407
408-#ifndef CONFIG_GRKERNSEC_PAX_SEGMEXEC
409+if(grsec_pax_segmexec){
410 down_write(&current->mm->mmap_sem);
411-#endif
412+}
413
414 vma = find_vma_prev(current->mm, start, &prev);
415 error = -ENOMEM;
416 if (!vma || vma->vm_start > start)
417 goto out;
418
419-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
420+if(grsec_pax_mprotect){
421 if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE))
422 pax_handle_maywrite(vma, start);
423-#endif
424+}
425
426 for (nstart = start ; ; ) {
427 unsigned int newflags;
428@@ -397,12 +397,12 @@
429 goto out;
430 }
431
432-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
433+if(grsec_pax_mprotect){
434 /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
435 if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE)) {
436 newflags &= ~VM_MAYWRITE;
437 }
438-#endif
439+}
440 if (vma->vm_ops && vma->vm_ops->mprotect) {
441 error = vma->vm_ops->mprotect(vma, newflags);
442 if (error < 0)
443@@ -441,9 +441,9 @@
444 }
445 out:
446
447-#ifndef CONFIG_GRKERNSEC_PAX_SEGMEXEC
448+if(grsec_pax_segmexec){
449 up_write(&current->mm->mmap_sem);
450-#endif
451+}
452
453 return error;
454 }
455--- linux-2.4.19/mm/mmap.c.org Tue Oct 1 08:24:13 2002
456+++ linux-2.4.19/mm/mmap.c Wed Oct 2 09:41:32 2002
457@@ -209,13 +209,13 @@
458 _trans(prot, PROT_EXEC, VM_EXEC);
459 flag_bits =
460
461-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
462+if(grsec_pax_segmexec){
463 _trans(flags, MAP_MIRROR, VM_MIRROR) |
464-#endif
465+}
466
467-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
468+if(grsec_pax_randexec){
469 _trans(flags, MAP_MIRROR2, VM_MIRROR2) |
470-#endif
471+}
472
473 _trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN) |
474 _trans(flags, MAP_DENYWRITE, VM_DENYWRITE) |
475@@ -417,13 +417,13 @@
476
477 if (
478
479-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
480+if(grsec_pax_segmexec){
481 (flags & MAP_MIRROR) ||
482-#endif
483+}
484
485-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
486+if(grsec_pax_randexec){
487 (flags & MAP_MIRROR2)
488-#else
489+}
490 0
491 #endif
492 )
493@@ -437,13 +437,13 @@
494 if (!vma_m ||
495 vma_m->vm_start != pgoff ||
496
497-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
498+if(grsec_pax_segmexec){
499 (vma_m->vm_flags & (VM_MIRROR | VM_MIRRORED)) ||
500-#endif
501+}
502
503-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
504+if(grsec_pax_randexec){
505 (vma_m->vm_flags & (VM_MIRROR2 | VM_MIRRORED2)) ||
506-#endif
507+}
508
509 (vma_m->vm_flags & (VM_MIRROR | VM_MIRRORED)) ||
510 (!(vma_m->vm_flags & VM_WRITE) && (prot & PROT_WRITE)))
511@@ -484,47 +484,47 @@
512 */
513 vm_flags = calc_vm_flags(prot,flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
514
515-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
516+if(grsec_pax_pageexec){
517 if (current->flags & PF_PAX_PAGEEXEC) {
518
519-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
520+if(grsec_pax_randexec){
521 if (!file && !(flags & MAP_MIRROR2))
522-#else
523+}
524 if (!file)
525-#endif
526+}
527 vm_flags &= ~VM_EXEC;
528
529-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
530+if(grsec_pax_mprotect){
531
532-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
533+if(grsec_pax_randexec)
534 if ((current->flags & PF_PAX_MPROTECT) && ((!file && !(flags & MAP_MIRROR2)) || !(prot & PROT_EXEC)))
535-#else
536+else
537 if ((current->flags & PF_PAX_MPROTECT) && (!file || !(prot & PROT_EXEC)))
538-#endif
539+
540 vm_flags &= ~VM_MAYEXEC;
541
542 if ((current->flags & PF_PAX_MPROTECT) && file && (prot & PROT_EXEC))
543 vm_flags &= ~VM_MAYWRITE;
544-#endif
545+}
546
547 }
548-#endif
549+}
550
551-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
552+if(grsec_pax_segmexec){
553 if (current->flags & PF_PAX_SEGMEXEC) {
554 if (!file && !(flags & MAP_MIRROR))
555 vm_flags &= ~VM_EXEC;
556
557-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
558+if(grsec_pax_mprotect){
559 if ((current->flags & PF_PAX_MPROTECT) && ((!file && !(flags & MAP_MIRROR)) || !(prot & PROT_EXEC)))
560 vm_flags &= ~VM_MAYEXEC;
561
562 if ((current->flags & PF_PAX_MPROTECT) && file && (prot & PROT_EXEC))
563 vm_flags &= ~VM_MAYWRITE;
564-#endif
565+}
566
567 }
568-#endif
569+}
570
571 /* mlock MCL_FUTURE? */
572 if (vm_flags & VM_LOCKED) {
573@@ -626,11 +626,11 @@
574 vma->vm_end = addr + len;
575 vma->vm_flags = vm_flags;
576
577-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
578+if(grsec_pax_pageexec){
579 if ((file || !(current->flags & PF_PAX_PAGEEXEC)) && (vm_flags & (VM_READ|VM_WRITE)))
580 vma->vm_page_prot = protection_map[(vm_flags | VM_EXEC) & 0x0f];
581 else
582-#endif
583+}
584
585 vma->vm_page_prot = protection_map[vm_flags & 0x0f];
586 vma->vm_ops = NULL;
587@@ -660,15 +660,15 @@
588 goto free_vma;
589 }
590
591-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
592+if(grsec_pax_segmexec){
593 if (flags & MAP_MIRROR)
594 vma_m->vm_flags |= VM_MIRRORED;
595-#endif
596+}
597
598-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
599+if(grsec_pax_randexec){
600 if (flags & MAP_MIRROR2)
601 vma_m->vm_flags |= VM_MIRRORED2;
602-#endif
603+}
604
605 /* Can addr have changed??
606 *
607@@ -741,11 +741,10 @@
608 {
609 struct vm_area_struct *vma;
610
611-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
612+if(grsec_pax_segmexec){
613 if ((current->flags & PF_PAX_SEGMEXEC) && len > TASK_SIZE/2)
614 return -ENOMEM;
615- else
616-#endif
617+}
618
619 if (len > TASK_SIZE)
620 return -ENOMEM;
621@@ -754,10 +753,10 @@
622 addr = PAGE_ALIGN(addr);
623 vma = find_vma(current->mm, addr);
624
625-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
626+if(grsec_pax_segmexec){
627 if ((current->flags & PF_PAX_SEGMEXEC) && TASK_SIZE/2-len < addr)
628 return -ENOMEM;
629-#endif
630+}
631
632 if (TASK_SIZE - len >= addr &&
633 (!vma || addr + len <= vma->vm_start))
634@@ -774,11 +773,11 @@
635 for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
636 /* At this point: (!vma || addr < vma->vm_end). */
637
638-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
639+if(grsec_pax_segmexec){
640 if ((current->flags & PF_PAX_SEGMEXEC) && TASK_SIZE/2-len < addr)
641 return -ENOMEM;
642 else
643-#endif
644+}
645
646 if (TASK_SIZE - len < addr)
647 return -ENOMEM;
648@@ -1168,21 +1167,21 @@
649
650 down_write(&mm->mmap_sem);
651
652-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
653+if(grsec_pax_segmexec){
654 if ((current->flags & PF_PAX_SEGMEXEC) &&
655 (len > TASK_SIZE/2 || addr > TASK_SIZE/2-len))
656 return -EINVAL;
657-#endif
658+}
659
660 ret = do_munmap(mm, addr, len);
661
662-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
663+if(grsec_pax_segmexec){
664 if ((current->flags & PF_PAX_SEGMEXEC) && !ret) {
665 int ret_m = do_munmap(mm, addr + TASK_SIZE/2, len);
666 if (ret_m)
667 ret = ret_m;
668 }
669-#endif
670+}
671
672 up_write(&mm->mmap_sem);
673 return ret;
674@@ -1244,10 +1243,10 @@
675 if (current->flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC))
676 flags &= ~VM_EXEC;
677
678-#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
679+if(grsec_pax_mprotect){
680 if (current->flags & PF_PAX_MPROTECT)
681 flags &= ~VM_MAYEXEC;
682-#endif
683+}
684
685 #endif
686 /* Can we just expand an old anonymous mapping? */
687@@ -1266,11 +1265,10 @@
688 vma->vm_end = addr + len;
689 vma->vm_flags = flags;
690
691-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
692+if(grsec_pax_pageexec){
693 if (!(current->flags & PF_PAX_PAGEEXEC) && (flags & (VM_READ|VM_WRITE)))
694 vma->vm_page_prot = protection_map[(flags | VM_EXEC) & 0x0f];
695- else
696-#endif
697+}
698 vma->vm_page_prot = protection_map[flags & 0x0f];
699 vma->vm_ops = NULL;
700 vma->vm_pgoff = 0;
701--- linux-2.4.19/mm/filemap.c.org Tue Oct 1 08:24:13 2002
702+++ linux-2.4.19/mm/filemap.c Wed Oct 2 09:42:41 2002
703@@ -2180,10 +2180,10 @@
704 if (!mapping->a_ops->readpage)
705 return -ENOEXEC;
706
707-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
708+if(grsec_pax_pageexec){
709 if (current->flags & PF_PAX_PAGEEXEC)
710 vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
711-#endif
712+}
713
714 UPDATE_ATIME(inode);
715 vma->vm_ops = &generic_file_vm_ops;
716--- linux-2.4.19/arch/i386/mm/fault.c.org Tue Oct 1 08:24:12 2002
717+++ linux-2.4.19/arch/i386/mm/fault.c Wed Oct 2 09:49:58 2002
718@@ -143,11 +143,11 @@
719 * bit 1 == 0 means read, 1 means write
720 * bit 2 == 0 means kernel, 1 means user-mode
721 */
722-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
723+if(grsec_pax_pageexec){
724 asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
725-#else
726+else
727 asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code)
728-#endif
729+}
730 {
731 struct task_struct *tsk;
732 struct mm_struct *mm;
733@@ -283,21 +283,21 @@
734
735 /* User mode accesses just cause a SIGSEGV */
736 if (error_code & 4) {
737-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
738+if(grsec_pax_segmexec){
739 if (current->flags & PF_PAX_SEGMEXEC) {
740
741-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
742+if(grsec_pax_randexec){
743 if ((error_code == 4) && (regs->eip + TASK_SIZE/2 == address) &&
744 pax_handle_read_fault(regs) == 5)
745 return;
746-#endif
747+}
748
749 if (address >= TASK_SIZE/2) {
750 pax_report_fault(regs);
751 do_exit(SIGKILL);
752 }
753 }
754-#endif
755+}
756
757 tsk->thread.cr2 = address;
758 tsk->thread.error_code = error_code;
759@@ -429,7 +429,7 @@
760 return;
761 }
762 }
763-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
764+if(grsec_pax_pageexec){
765 /* PaX: called with the page_table_lock spinlock held */
766 static inline pte_t * pax_get_pte(struct mm_struct *mm, unsigned long address)
767 {
768@@ -444,7 +444,7 @@
769 return 0;
770 return pte_offset(pmd, address);
771 }
772-#endif
773+}
774
775 /*
776 * PaX: decide what to do with offenders (regs->eip = fault address)
777@@ -459,12 +459,12 @@
778 #if defined(CONFIG_GRKERNSEC_PAX_PAGEEXEC) || defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC)
779 static int pax_handle_read_fault(struct pt_regs *regs)
780 {
781-#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
782+if(grsec_pax_emutramp){
783 static const unsigned char trans[8] = {6, 1, 2, 0, 13, 5, 3, 4};
784-#endif
785+}
786 int err;
787
788-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
789+if(grsec_pax_randexec){
790 if (current->flags & PF_PAX_RANDEXEC) {
791 unsigned long esp_4;
792 if (regs->eip >= current->mm->start_code &&
793@@ -477,9 +477,9 @@
794 }
795 }
796 }
797-#endif
798+}
799
800-#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
801+if(grsec_pax_emutramp){
802 if (!(current->flags & PF_PAX_EMUTRAMP))
803 return 1;
804
805@@ -589,7 +589,7 @@
806 }
807 }
808 }
809-#endif
810+}
811
812 return 1; /* PaX in action */
813 }
814@@ -634,7 +634,7 @@
815 }
816 #endif
817
818-#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC
819+if(grsec_pax_pageexec){
820 /*
821 * PaX: handle the extra page faults or pass it down to the original handler
822 *
823@@ -670,19 +670,19 @@
824 /* instruction fetch attempt from a protected page in user mode */
825 ret = pax_handle_read_fault(regs);
826 switch (ret) {
827-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
828+if(grsec_pax_randexec){
829 case 5:
830 return 0;
831-#endif
832+}
833
834-#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
835+if(grsec_pax_emutramp){
836 case 0:
837 break;
838 case 4:
839 return 0;
840 case 3:
841 case 2: return 1;
842-#endif
843+}
844 case 1:
845 default:
846 pax_report_fault(regs);
847@@ -738,4 +738,4 @@
848 spin_unlock(&mm->page_table_lock);
849 return 0;
850 }
851-#endif
852+}
853--- linux-2.4.19/kernel/ptrace.c.org Tue Oct 1 08:24:13 2002
854+++ linux-2.4.19/kernel/ptrace.c Wed Oct 2 09:52:40 2002
855@@ -129,10 +129,10 @@
856 if (!mm)
857 return 0;
858
859-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
860+if(grsec_pax_segmexec){
861 if ((tsk->flags & PF_PAX_SEGMEXEC) && (addr >= TASK_SIZE/2))
862 return 0;
863-#endif
864+}
865
866 down_read(&mm->mmap_sem);
867 /* ignore errors, just check how much was sucessfully transfered */
868--- linux-2.4.19/mm/memory.c.org Tue Oct 1 08:24:23 2002
869+++ linux-2.4.19/mm/memory.c Wed Oct 2 09:57:25 2002
870@@ -1374,43 +1374,43 @@
871 struct vm_area_struct * vma_m = NULL;
872 #endif
873
874-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
875+if(grsec_pax_segmexec){
876 if (vma->vm_flags & VM_MIRRORED) {
877 address_m = address;
878 vma_m = vma;
879
880-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
881+if(grsec_pax_randexec){
882 if (vma->vm_flags & VM_MIRRORED2) {
883 address += mm->delta_exec;
884 if (vma->vm_flags & VM_EXEC)
885 address += TASK_SIZE/2;
886 } else
887-#endif
888+}
889
890 address += TASK_SIZE/2;
891 vma = find_vma(mm, address);
892 } else if (vma->vm_flags & VM_MIRROR) {
893 address_m = address;
894
895-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
896+if(grsec_pax_randexec){
897 if (vma->vm_flags & VM_MIRROR2) {
898 address_m -= mm->delta_exec;
899 if (vma->vm_flags & VM_EXEC)
900 address_m -= TASK_SIZE/2;
901 } else
902-#endif
903+}
904
905 address_m -= TASK_SIZE/2;
906 vma_m = find_vma(mm, address_m);
907 }
908-#endif
909+}
910
911-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
912+if(grsec_pax_randexec){
913 if (vma && (vma->vm_flags & (VM_MIRROR2 | VM_MIRRORED2))
914
915-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
916+if(grsec_pax_segmexec){
917 && !(vma->vm_flags & (VM_MIRROR | VM_MIRRORED))
918-#endif
919+}
920
921 )
922 {
923@@ -1424,19 +1424,19 @@
924 vma_m = find_vma(mm, address_m);
925 }
926 }
927-#endif
928+}
929
930 /* PaX: sanity checks, to be removed when proved to be stable */
931 #if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC)
932 if (!vma
933
934-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
935+if(grsec_pax_segmexec){
936 || (vma->vm_flags & VM_MIRROR)
937-#endif
938+}
939
940-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
941+if(grsec_pax_randexec){
942 || (vma->vm_flags & VM_MIRROR2)
943-#endif
944+}
945 )
946 {
947 if (!vma || !vma_m) {
948@@ -1445,17 +1445,17 @@
949 return 0;
950 } else if (
951
952-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
953+if(grsec_pax_segmexec){
954 (!(vma_m->vm_flags & VM_MIRRORED) &&
955-#else
956+else
957 (1 &&
958-#endif
959+}
960
961-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
962+if(grsec_pax_randexec){
963 !(vma_m->vm_flags & VM_MIRRORED2)) ||
964-#else
965+else
966 1) ||
967-#endif
968+}
969
970 vma->vm_start > address ||
971 vma_m->vm_start > address_m ||
972@@ -1483,17 +1483,17 @@
973
974 #if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC)
975 if (pte
976-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
977+if(grsec_pax_segmexec){
978
979-#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC
980+if(grsec_pax_randexec){
981 && (vma->vm_flags & (VM_MIRROR | VM_MIRROR2))
982-#else
983+else
984 && (vma->vm_flags & VM_MIRROR)
985-#endif
986+}
987
988-#else
989+else
990 && (vma->vm_flags & VM_MIRROR2)
991-#endif
992+}
993 )
994 {
995 pgd_t *pgd_m;
996--- linux-2.4.19/mm/mremap.c.org Tue Oct 1 08:24:13 2002
997+++ linux-2.4.19/mm/mremap.c Wed Oct 2 09:58:45 2002
998@@ -227,11 +227,11 @@
999 old_len = PAGE_ALIGN(old_len);
1000 new_len = PAGE_ALIGN(new_len);
1001
1002-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
1003+if(grsec_pax_segmexec){
1004 if ((current->flags & PF_PAX_SEGMEXEC) && (flags & MREMAP_FIXED) &&
1005 (new_len > TASK_SIZE/2 || new_addr > TASK_SIZE/2-new_len))
1006 goto out;
1007-#endif
1008+}
1009
1010 /* new_addr is only valid if MREMAP_FIXED is specified */
1011 if (flags & MREMAP_FIXED) {
1012@@ -274,10 +274,10 @@
1013 if (!vma || vma->vm_start > addr)
1014 goto out;
1015
1016-#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
1017+if(grsec_pax_segmexec){
1018 if ((current->flags & PF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MIRRORED))
1019 return -EINVAL;
1020-#endif
1021+}
1022
1023 /* We can't remap across vm area boundaries */
1024 if (old_len > vma->vm_end - addr)
The Linux kernel (the core of the Linux operating system)
This page took 0.265068 seconds and 4 git commands to generate.