blob: feb8c7ba628934ee92c87049ca2de864c1ea2300 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From: Anthony G. Basile <blueness@gentoo.org>
PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines.
We default PAX_EMUTRAMP='y' since almost all hardened users will want this.
See bug:
http://bugs.gentoo.org/show_bug.cgi?id=329499
http://bugs.gentoo.org/show_bug.cgi?id=457194
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
@@ -440,7 +440,7 @@
config PAX_EMUTRAMP
bool "Emulate trampolines"
- default y if PARISC || GRKERNSEC_CONFIG_AUTO
+ default y
depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
help
There are some programs and libraries that for one reason or
@@ -463,6 +463,12 @@
utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
for the affected files.
+ NOTE: Hardened Gentoo users needs this option enabled for python
+ to work properly. Without it, all python apps, including portage,
+ may fail. By default, python has CONFIG_PAX_EMUTRAMP enabled by
+ the ebuild when USE=pax_kernel is set, otherise CONFIG_PAX_PAGEEXEC
+ is enabled as a fallback.
+
NOTE: enabling this feature *may* open up a loophole in the
protection provided by non-executable pages that an attacker
could abuse. Therefore the best solution is to not have any
|