Subject: Re: Non executable mappings and compatibility options bugs
To: Manuel Bouyer <firstname.lastname@example.org>
From: Andrew Brown <email@example.com>
Date: 06/23/2004 11:18:22
On Wed, Jun 23, 2004 at 11:45:43AM +0200, Manuel Bouyer wrote:
>On Tue, Jun 22, 2004 at 05:23:18PM -0700, Erik E. Fair wrote:
>> Sometimes it's not even a matter of security - I remember all the
>> screaming when deferencing address zero stopped working on newer UNIX
>> systems of the day, and that broke a whole lot of (badly written)
>> software. Incremental improvements in practice are still a good thing.
>> Since software from our own source tree is unaffected (or has been
>> cleaned up already), it seems to me that the explicit enforcement of
>> execution permissions needs to be a per-emulation flag, and that in
>> our kernel configurations, those emulations that require the
>> enforcement off should themselves be commented out by default with a
>> clear notation of the security threat that they pose. We can change
>> each emulation's flag and "commented out" status when they clean up
>> their acts (presuming they ever will; emulations of EOL'd operating
>> systems will just have to endure whatever state they turn out to be
>I don't think having the emulations commented out by default is a big deal,
>as we also provide LKMs, and there is LKM support in the GENERIC kernels.
>We'd just have to add to the release notes that emulation support now is not
>enabled by default, and you have to uncomment them in /etc/lkm.conf to use
>them (along with the security warnings about non-exec stack).
oh, and don't forget to add something that tells the user they need to
rebuild all the lkms if they build their own kernel with any of:
|-----< "CODE WARRIOR" >-----|
firstname.lastname@example.org * "ah! i see you have the internet
email@example.com (Andrew Brown) that goes *ping*!"
firstname.lastname@example.org * "information is power -- share the wealth."