On Wed, Jun 23, 2004 at 11:45:43AM +0200, Manuel Bouyer wrote:
>On Tue, Jun 22, 2004 at 05:23:18PM -0700, Erik E. Fair wrote:
>> Sometimes it's not even a matter of security - I remember all the 
>> screaming when deferencing address zero stopped working on newer UNIX 
>> systems of the day, and that broke a whole lot of (badly written) 
>> software. Incremental improvements in practice are still a good thing.
>> 
>> Since software from our own source tree is unaffected (or has been 
>> cleaned up already), it seems to me that the explicit enforcement of 
>> execution permissions needs to be a per-emulation flag, and that in 
>> our kernel configurations, those emulations that require the 
>> enforcement off should themselves be commented out by default with a 
>> clear notation of the security threat that they pose. We can change 
>> each emulation's flag and "commented out" status when they clean up 
>> their acts (presuming they ever will; emulations of EOL'd operating 
>> systems will just have to endure whatever state they turn out to be 
>> in).
>
>I don't think having the emulations commented out by default is a big deal,
>as we also provide LKMs, and there is LKM support in the GENERIC kernels.
>We'd just have to add to the release notes that emulation support now is not
>enabled by default, and you have to uncomment them in /etc/lkm.conf to use
>them (along with the security warnings about non-exec stack).

oh, and don't forget to add something that tells the user they need to
rebuild all the lkms if they build their own kernel with any of:

	DIAGNOSTIC
	DEBUG
	LOCKDEBUG
	MULTIPROCESSOR
	MALLOCLOG

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."