Hi, On Tue, May 25, 2010 at 11:45:44PM -0400, Kyle McMartin wrote: > On Tue, May 25, 2010 at 04:37:13PM -0700, Kees Cook wrote: > > Hi Kyle, > > > > Here's my linux-2.6 branch with 3 NX-emulation patches stacked on top: > > > > http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=summary > > > > I think all three should be merged, but I kept them separate for your > > review. > > Can I pull this tree from somewhere? Yes, the git URL for this is: git://kernel.ubuntu.com/kees/linux-2.6.git In looking at how "exec-shield" is used, I was thinking that maybe the "nonexec" flag should be used instead. It could have multiple settings, maybe. It seems like it could be used for: off hw-only emu-if-needed There also seems to be the "2" setting which ignores the stack-exec markings, but that seems like it should be a separate feature. If we can clean it up a little more, I'd really like to try to for upstream inclusion. I know there has been resistance to it in the past, but nearly every distro includes this patch set now; it's silly not to have it upstream. The second commit "x86: clean up nx-emu for ia32-only" adds a bunch more #ifdef CONFIG_X86_32 around things, mostly I think the primary change in behavior that would be visible to Fedora would be having the "exec-shield" sysctl vanish on x86_64, and to fall back to mainline ASLR in the non-emu case. > > Is there a better place (public Fedora mailing list?) for me to send these? > > > > fedora-kernel-list@xxxxxxxxxx if you want. Done! :) -Kees -- Kees Cook Ubuntu Security Team _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
