From dcdabdc725a2a06fad5211839979b473f2e1f2b1 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 5 Nov 2010 11:44:16 -0700 Subject: [PATCH] nx-emu: drop exec-shield sysctl, merge with disable_nx The "exec-shield" sysctl doesn't really make much sense any more, and the functionality is better merged with the existing "disable_nx" kernel boot option. Signed-off-by: Kees Cook Signed-off-by: Andy Whitcroft --- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/mm/setup_nx.c | 5 ++--- fs/binfmt_elf.c | 2 +- include/linux/sched.h | 2 +- kernel/sysctl.c | 21 --------------------- 5 files changed, 5 insertions(+), 27 deletions(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 20d704f..16d1096 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -833,7 +833,7 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) * If we have either disabled exec-shield on the boot command line, * or we have NX, then we don't need to do this. */ - if (exec_shield != 0) { + if (!disable_nx) { #ifdef CONFIG_X86_PAE if (!test_cpu_cap(c, X86_FEATURE_NX)) #endif diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c index c0e9d0b..2dfd8d0 100644 --- a/arch/x86/mm/setup_nx.c +++ b/arch/x86/mm/setup_nx.c @@ -6,7 +6,7 @@ #include #include -static int disable_nx __cpuinitdata; +int disable_nx __cpuinitdata; /* * noexec = on|off @@ -24,7 +24,6 @@ static int __init noexec_setup(char *str) disable_nx = 0; } else if (!strncmp(str, "off", 3)) { disable_nx = 1; - exec_shield = 0; } x86_configure_nx(); return 0; @@ -42,7 +41,7 @@ void __cpuinit x86_configure_nx(void) void __init x86_report_nx(void) { if (!cpu_has_nx) { - if (exec_shield) + if (disable_nx) printk(KERN_INFO "Using x86 segment limits to approximate NX protection\n"); else diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index fbf9002..9211f58 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -717,7 +717,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) * Turn off the CS limit completely if exec-shield disabled or * NX active: */ - if (!exec_shield || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX)) + if (disable_nx || executable_stack != EXSTACK_DISABLE_X || (__supported_pte_mask & _PAGE_NX)) arch_add_exec_range(current->mm, -1); #endif diff --git a/include/linux/sched.h b/include/linux/sched.h index 88f84fc..255325c 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -100,7 +100,7 @@ struct bio_list; struct fs_struct; struct perf_event_context; -extern int exec_shield; +extern int disable_nx; extern int print_fatal_signals; /* diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 2cea18b..443fd20 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -104,17 +104,6 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max; #ifndef CONFIG_MMU extern int sysctl_nr_trim_pages; #endif - -int exec_shield = 1; - -static int __init setup_exec_shield(char *str) -{ - get_option(&str, &exec_shield); - - return 1; -} -__setup("exec-shield=", setup_exec_shield); - #ifdef CONFIG_BLOCK extern int blk_iopoll_enabled; #endif @@ -441,16 +430,6 @@ static struct ctl_table kern_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, -#ifdef CONFIG_X86_32 - { - .procname = "exec-shield", - .data = &exec_shield, - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = &proc_dointvec, - }, -#endif - #ifdef CONFIG_PROC_SYSCTL { .procname = "tainted", -- 1.7.10.4