execshield inspection needed
Roland McGrath
roland at redhat.com
Mon Feb 11 08:15:14 UTC 2008
Your attachment was empty.
The execshield patch has gotten much smaller than it was in the beginning.
It still hasn't gotten all the cleanup it could get though. The patch does
a few different things that ideally would be in separate patches.
1. Segment-based PAGE_EXEC for no-NX hardware (and non-PAE 32-bit kernels).
This is not really very much code. There's the GPF trap handler,
and the hooks like arch_add_exec_range et al. I don't see why this
couldn't be merged upstream as a config option.
2. Tighter permissions on /proc/pid/foo. This would be simple to make a
config option and is such a simple patch (fs/proc/base.c) it seems like
it shouldn't be hard to get upstream.
3. get_unmapped_area_prot. This is what changes the layouts and is the
heart of what's really "exec-shield" since randomization has been upstream.
4. Miscellaneous tweaks and cruft. There are strange little bits of diff
that I don't know the explanation for. Maybe we can clean these up.
I hope Ingo knows what any other bits in there are for.
Thanks,
Roland
More information about the Fedora-kernel-list
mailing list