summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2017-04-22 12:08:04 -0400
committerAnthony G. Basile <blueness@gentoo.org>2017-04-22 12:08:04 -0400
commita6383ddcf48aac166b64e6008cbceb4476975279 (patch)
tree378807c872bdda51eaeff69ff7752e95142c8710 /4.9.24/4475_emutramp_default_on.patch
parentgrsecurity-3.1-4.9.23-201704181901 (diff)
downloadhardened-patchset-master.tar.gz
hardened-patchset-master.tar.bz2
hardened-patchset-master.zip
grsecurity-3.1-4.9.24-201704220732HEAD20170422master
Diffstat (limited to '4.9.24/4475_emutramp_default_on.patch')
-rw-r--r--4.9.24/4475_emutramp_default_on.patch34
1 files changed, 34 insertions, 0 deletions
diff --git a/4.9.24/4475_emutramp_default_on.patch b/4.9.24/4475_emutramp_default_on.patch
new file mode 100644
index 0000000..feb8c7b
--- /dev/null
+++ b/4.9.24/4475_emutramp_default_on.patch
@@ -0,0 +1,34 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines.
+We default PAX_EMUTRAMP='y' since almost all hardened users will want this.
+
+See bug:
+ http://bugs.gentoo.org/show_bug.cgi?id=329499
+ http://bugs.gentoo.org/show_bug.cgi?id=457194
+
+diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
+--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
++++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
+@@ -440,7 +440,7 @@
+
+ config PAX_EMUTRAMP
+ bool "Emulate trampolines"
+- default y if PARISC || GRKERNSEC_CONFIG_AUTO
++ default y
+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
+ help
+ There are some programs and libraries that for one reason or
+@@ -463,6 +463,12 @@
+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
+ for the affected files.
+
++ NOTE: Hardened Gentoo users needs this option enabled for python
++ to work properly. Without it, all python apps, including portage,
++ may fail. By default, python has CONFIG_PAX_EMUTRAMP enabled by
++ the ebuild when USE=pax_kernel is set, otherise CONFIG_PAX_PAGEEXEC
++ is enabled as a fallback.
++
+ NOTE: enabling this feature *may* open up a loophole in the
+ protection provided by non-executable pages that an attacker
+ could abuse. Therefore the best solution is to not have any