]>
Commit | Line | Data |
---|---|---|
bb5f0bf8 AF |
1 | No need to wrap vdso calls as gentoo does not use any version of |
2 | glibc <=2.3.3 | |
3 | --- | |
4 | From: Gordon Malm <gengor@gentoo.org> | |
5 | From: Kerin Millar <kerframil@gmail.com> | |
6 | From: Jory A. Pratt <anarchy@gentoo.org> | |
7 | ||
8 | COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It | |
9 | conflicts with various parts of PaX, crashing the system if enabled | |
10 | while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents | |
11 | a number of important PaX options from appearing in the configuration | |
12 | menu, including all PaX NOEXEC implementations. Unfortunately, the | |
13 | reason for the disappearance of these PaX configuration options is | |
14 | often far from obvious to inexperienced users. | |
15 | ||
16 | Therefore, we disable the COMPAT_VDSO menu entry entirely. However, | |
17 | COMPAT_VDSO operation can still be enabled via bootparam and sysctl | |
18 | interfaces. Consequently, we must also disable the ability to select | |
19 | COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so | |
20 | that selecting COMPAT_VDSO operation at boot/runtime has no effect if | |
21 | conflicting PaX options are enabled, leaving VDSO_ENABLED operation | |
22 | intact. | |
23 | ||
24 | Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 | |
25 | ||
26 | diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig | |
27 | --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 | |
28 | +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 | |
29 | @@ -1651,17 +1651,8 @@ | |
30 | ||
31 | config COMPAT_VDSO | |
32 | def_bool n | |
33 | - prompt "Compat VDSO support" | |
34 | depends on X86_32 || IA32_EMULATION | |
35 | depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF | |
36 | - ---help--- | |
37 | - Map the 32-bit VDSO to the predictable old-style address too. | |
38 | - | |
39 | - Say N here if you are running a sufficiently recent glibc | |
40 | - version (2.3.3 or later), to remove the high-mapped | |
41 | - VDSO mapping and to exclusively use the randomized VDSO. | |
42 | - | |
43 | - If unsure, say Y. | |
44 | ||
45 | config CMDLINE_BOOL | |
46 | bool "Built-in kernel command line" |