nx-emu: drop exec-shield sysctl, merge with disable_nx

The "exec-shield" sysctl doesn't really make much sense any more, and
the functionality is better merged with the existing "disable_nx"
kernel boot option.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 20d704f..16d1096 100644 (file)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -833,7 +833,7 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
         *  If we have either disabled exec-shield on the boot command line,
         *  or we have NX, then we don't need to do this.
         */
-       if (exec_shield != 0) {
+       if (!disable_nx) {
 #ifdef CONFIG_X86_PAE
                if (!test_cpu_cap(c, X86_FEATURE_NX))
 #endif

diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
index c0e9d0b..2dfd8d0 100644 (file)
--- a/arch/x86/mm/setup_nx.c
+++ b/arch/x86/mm/setup_nx.c
@@ -6,7 +6,7 @@
 #include <asm/pgtable.h>
 #include <asm/proto.h>
 
-static int disable_nx __cpuinitdata;
+int disable_nx __cpuinitdata;
 
 /*
  * noexec = on|off
@@ -24,7 +24,6 @@ static int __init noexec_setup(char *str)
                disable_nx = 0;
        } else if (!strncmp(str, "off", 3)) {
                disable_nx = 1;
-               exec_shield = 0;
        }
        x86_configure_nx();
        return 0;
@@ -42,7 +41,7 @@ void __cpuinit x86_configure_nx(void)
 void __init x86_report_nx(void)
 {
        if (!cpu_has_nx) {
-               if (exec_shield)
+               if (disable_nx)
                        printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n");
                else
 

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index fbf9002..9211f58 100644 (file)
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -717,7 +717,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
         * Turn off the CS limit completely if exec-shield disabled or
         * NX active:
         */
-       if (!exec_shield || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
+       if (disable_nx || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX))
                arch_add_exec_range(current->mm, -1);
 #endif
 

diff --git a/include/linux/sched.h b/include/linux/sched.h
index 88f84fc..255325c 100644 (file)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -100,7 +100,7 @@ struct bio_list;
 struct fs_struct;
 struct perf_event_context;
 
-extern int exec_shield;
+extern int disable_nx;
 extern int print_fatal_signals;
 
 /*

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 2cea18b..443fd20 100644 (file)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -104,17 +104,6 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
 #ifndef CONFIG_MMU
 extern int sysctl_nr_trim_pages;
 #endif
-
-int exec_shield = 1;
-
-static int __init setup_exec_shield(char *str)
-{
-       get_option(&str, &exec_shield);
-
-       return 1;
-}
-__setup("exec-shield=", setup_exec_shield);
-
 #ifdef CONFIG_BLOCK
 extern int blk_iopoll_enabled;
 #endif
@@ -441,16 +430,6 @@ static struct ctl_table kern_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec,
        },
-#ifdef CONFIG_X86_32
-       {
-               .procname       = "exec-shield",
-               .data           = &exec_shield,
-               .maxlen         = sizeof(int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec,
-       },
-#endif
-
 #ifdef CONFIG_PROC_SYSCTL
        {
                .procname       = "tainted",