Your attachment was empty. The execshield patch has gotten much smaller than it was in the beginning. It still hasn't gotten all the cleanup it could get though. The patch does a few different things that ideally would be in separate patches. 1. Segment-based PAGE_EXEC for no-NX hardware (and non-PAE 32-bit kernels). This is not really very much code. There's the GPF trap handler, and the hooks like arch_add_exec_range et al. I don't see why this couldn't be merged upstream as a config option. 2. Tighter permissions on /proc/pid/foo. This would be simple to make a config option and is such a simple patch (fs/proc/base.c) it seems like it shouldn't be hard to get upstream. 3. get_unmapped_area_prot. This is what changes the layouts and is the heart of what's really "exec-shield" since randomization has been upstream. 4. Miscellaneous tweaks and cruft. There are strange little bits of diff that I don't know the explanation for. Maybe we can clean these up. I hope Ingo knows what any other bits in there are for. Thanks, Roland _______________________________________________ Fedora-kernel-list mailing list Fedora-kernel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-kernel-list
