[paxctl] Added paxctl 0.5 - A user-space utility to control PaX flags

security/paxctl/kernel-pax.config.in

@@ -0,0 +1,23 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/kernel-pax.config.in
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License. A copy of the
+# GNU General Public License can be found in the file COPYING.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+CONFIG_PAX=y
+CONFIG_PAX_SOFTMODE=y
+CONFIG_PAX_PT_PAX_FLAGS=y
+CONFIG_PAX_HOOK_ACL_FLAGS=y
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_ASLR=y
+CONFIG_PAX_RANDKSTACK=y
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y

security/paxctl/parse-config-9

@@ -0,0 +1,22 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/parse-config-9
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License. A copy of the
+# GNU General Public License can be found in the file COPYING.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+pkg_pax_patches="$base/package/*/paxctl/patches"
+
+# add PaX patches found in package/*/paxctl/patches/
+if [ -d $pkg_pax_patches ] ; then 
+	for x in $( ls -1 $pkg_pax_patches/$pkg*$ver*.patch 2>/dev/null ); do
+		var_append patchfiles " " "$x"
+	done
+fi 

security/paxctl/patches/binutils-2.17.50.0.10-pt_pax.patch

@@ -0,0 +1,260 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/binutils-2.17.50.0.10-pt_pax.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+diff -ruN binutils-2.17.50.0.10.orig/bfd/elf-bfd.h binutils-2.17.50.0.10/bfd/elf-bfd.h
+--- binutils-2.17.50.0.10.orig/bfd/elf-bfd.h	2007-01-22 20:00:09.000000000 +0100
++++ binutils-2.17.50.0.10/bfd/elf-bfd.h	2007-01-26 16:32:19.000000000 +0100
+@@ -1355,6 +1355,9 @@
+   /* Segment flags for the PT_GNU_STACK segment.  */
+   unsigned int stack_flags;
+ 
++  /* Segment flags for the PT_PAX_FLAGS segment.  */
++  unsigned int pax_flags;
++
+   /* Symbol version definitions in external objects.  */
+   Elf_Internal_Verdef *verdef;
+ 
+diff -ruN binutils-2.17.50.0.10.orig/bfd/elf.c binutils-2.17.50.0.10/bfd/elf.c
+--- binutils-2.17.50.0.10.orig/bfd/elf.c	2007-01-22 20:00:09.000000000 +0100
++++ binutils-2.17.50.0.10/bfd/elf.c	2007-01-26 16:32:19.000000000 +0100
+@@ -1109,6 +1109,7 @@
+     case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
+     case PT_GNU_STACK: pt = "STACK"; break;
+     case PT_GNU_RELRO: pt = "RELRO"; break;
++    case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
+     default: pt = NULL; break;
+     }
+   return pt;
+@@ -2683,6 +2684,9 @@
+     case PT_GNU_RELRO:
+       return _bfd_elf_make_section_from_phdr (abfd, hdr, index, "relro");
+ 
++    case PT_PAX_FLAGS:
++      return _bfd_elf_make_section_from_phdr (abfd, hdr, index, "pax_flags");
++
+     default:
+       /* Check for any processor-specific program segment types.  */
+       bed = get_elf_backend_data (abfd);
+@@ -3655,6 +3659,11 @@
+       ++segs;
+     }
+ 
++    {
++      /* We need a PT_PAX_FLAGS segment.  */
++      ++segs;
++    }
++
+   for (s = abfd->sections; s != NULL; s = s->next)
+     {
+       if ((s->flags & SEC_LOAD) != 0
+@@ -4238,6 +4247,20 @@
+ 	  pm = &m->next;
+ 	}
+ 
++    {
++      amt = sizeof (struct elf_segment_map);
++      m = bfd_zalloc (abfd, amt);
++      if (m == NULL)
++	goto error_return;
++      m->next = NULL;
++      m->p_type = PT_PAX_FLAGS;
++      m->p_flags = elf_tdata (abfd)->pax_flags;
++      m->p_flags_valid = 1;
++
++      *pm = m;
++      pm = &m->next;
++    }
++
+       free (sections);
+       elf_tdata (abfd)->segment_map = mfirst;
+     }
+@@ -5400,7 +5423,8 @@
+        6. PT_TLS segment includes only SHF_TLS sections.
+        7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
+        8. PT_DYNAMIC should not contain empty sections at the beginning
+-          (with the possible exception of .dynamic).  */
++          (with the possible exception of .dynamic).
++       9. PT_PAX_FLAGS segments does not include any sections.  */
+ #define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed)		\
+   ((((segment->p_paddr							\
+       ? IS_CONTAINED_BY_LMA (section, segment, segment->p_paddr)	\
+@@ -5408,6 +5432,7 @@
+      && (section->flags & SEC_ALLOC) != 0)				\
+     || IS_COREFILE_NOTE (segment, section))				\
+    && segment->p_type != PT_GNU_STACK					\
++   && segment->p_type != PT_PAX_FLAGS					\
+    && (segment->p_type != PT_TLS					\
+        || (section->flags & SEC_THREAD_LOCAL))				\
+    && (segment->p_type == PT_LOAD					\
+diff -ruN binutils-2.17.50.0.10.orig/bfd/elflink.c binutils-2.17.50.0.10/bfd/elflink.c
+--- binutils-2.17.50.0.10.orig/bfd/elflink.c	2007-01-22 20:00:09.000000000 +0100
++++ binutils-2.17.50.0.10/bfd/elflink.c	2007-01-26 17:09:17.000000000 +0100
+@@ -5286,16 +5286,30 @@
+   if (!is_elf_hash_table (info->hash))
+     return TRUE;
+ 
++  elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
++
++  if (info->execheap)
++    elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
++  else if (info->noexecheap)
++    elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
++
+   if (info->execstack)
+-    elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
++    {
++      elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
++      elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
++    }
+   else if (info->noexecstack)
+-    elf_tdata (output_bfd)->stack_flags = PF_R | PF_W;
++    {
++      elf_tdata (output_bfd)->stack_flags = PF_R | PF_W;
++      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
++    }
+   else
+     {
+       bfd *inputobj;
+       asection *notesec = NULL;
+       int exec = 0;
+ 
++      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
+       for (inputobj = info->input_bfds;
+ 	   inputobj;
+ 	   inputobj = inputobj->link_next)
+@@ -5308,7 +5322,11 @@
+ 	  if (s)
+ 	    {
+ 	      if (s->flags & SEC_CODE)
+-		exec = PF_X;
++		{
++		  elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
++		  elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
++		  exec = PF_X;
++		}
+ 	      notesec = s;
+ 	    }
+ 	  else
+diff -ruN binutils-2.17.50.0.10.orig/binutils/readelf.c binutils-2.17.50.0.10/binutils/readelf.c
+--- binutils-2.17.50.0.10.orig/binutils/readelf.c	2007-01-22 20:00:09.000000000 +0100
++++ binutils-2.17.50.0.10/binutils/readelf.c	2007-01-26 16:32:19.000000000 +0100
+@@ -2442,6 +2442,7 @@
+ 			return "GNU_EH_FRAME";
+     case PT_GNU_STACK:	return "GNU_STACK";
+     case PT_GNU_RELRO:  return "GNU_RELRO";
++    case PT_PAX_FLAGS:  return "PAX_FLAGS";
+ 
+     default:
+       if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
+diff -ruN binutils-2.17.50.0.10.orig/include/bfdlink.h binutils-2.17.50.0.10/include/bfdlink.h
+--- binutils-2.17.50.0.10.orig/include/bfdlink.h	2007-01-22 20:00:01.000000000 +0100
++++ binutils-2.17.50.0.10/include/bfdlink.h	2007-01-26 16:32:19.000000000 +0100
+@@ -320,6 +320,14 @@
+   /* TRUE if PT_GNU_RELRO segment should be created.  */
+   unsigned int relro: 1;
+ 
++  /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
++     flags.  */
++  unsigned int execheap: 1;
++
++  /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
++     flags.  */
++  unsigned int noexecheap: 1;
++
+   /* TRUE if we should warn when adding a DT_TEXTREL to a shared object.  */
+   unsigned int warn_shared_textrel: 1;
+ 
+diff -ruN binutils-2.17.50.0.10.orig/include/elf/common.h binutils-2.17.50.0.10/include/elf/common.h
+--- binutils-2.17.50.0.10.orig/include/elf/common.h	2007-01-22 20:00:09.000000000 +0100
++++ binutils-2.17.50.0.10/include/elf/common.h	2007-01-26 17:13:47.000000000 +0100
+@@ -307,12 +307,29 @@
+ #define PT_GNU_STACK	(PT_LOOS + 0x474e551) /* Stack flags */
+ #define PT_GNU_RELRO	(PT_LOOS + 0x474e552) /* Read-only after relocation */
+ #define PT_GNU_SHR	(PT_LOOS + 0x474e554) /* Sharable segment */
++#define PT_PAX_FLAGS	(PT_LOOS + 0x5041580) /* PaX flags */
+ 
+ /* Program segment permissions, in program header p_flags field.  */
+ 
+ #define PF_X		(1 << 0)	/* Segment is executable */
+ #define PF_W		(1 << 1)	/* Segment is writable */
+ #define PF_R		(1 << 2)	/* Segment is readable */
++
++/* Flags to control PaX behavior.  */
++
++#define PF_PAGEEXEC	(1 << 4)	/* Enable  PAGEEXEC */
++#define PF_NOPAGEEXEC	(1 << 5)	/* Disable PAGEEXEC */
++#define PF_SEGMEXEC	(1 << 6)	/* Enable  SEGMEXEC */
++#define PF_NOSEGMEXEC	(1 << 7)	/* Disable SEGMEXEC */
++#define PF_MPROTECT	(1 << 8)	/* Enable  MPROTECT */
++#define PF_NOMPROTECT	(1 << 9)	/* Disable MPROTECT */
++#define PF_RANDEXEC	(1 << 10)	/* Enable  RANDEXEC */
++#define PF_NORANDEXEC	(1 << 11)	/* Disable RANDEXEC */
++#define PF_EMUTRAMP	(1 << 12)	/* Enable  EMUTRAMP */
++#define PF_NOEMUTRAMP	(1 << 13)	/* Disable EMUTRAMP */
++#define PF_RANDMMAP	(1 << 14)	/* Enable  RANDMMAP */
++#define PF_NORANDMMAP	(1 << 15)	/* Disable RANDMMAP */
++
+ /* #define PF_MASKOS	0x0F000000    *//* OS-specific reserved bits */
+ #define PF_MASKOS	0x0FF00000	/* New value, Oct 4, 1999 Draft */
+ #define PF_MASKPROC	0xF0000000	/* Processor-specific reserved bits */
+diff -ruN binutils-2.17.50.0.10.orig/ld/emultempl/elf32.em binutils-2.17.50.0.10/ld/emultempl/elf32.em
+--- binutils-2.17.50.0.10.orig/ld/emultempl/elf32.em	2007-01-22 20:00:09.000000000 +0100
++++ binutils-2.17.50.0.10/ld/emultempl/elf32.em	2007-01-26 16:32:19.000000000 +0100
+@@ -1906,6 +1906,16 @@
+ 	  link_info.noexecstack = TRUE;
+ 	  link_info.execstack = FALSE;
+ 	}
++      else if (strcmp (optarg, "execheap") == 0)
++	{
++	  link_info.execheap = TRUE;
++	  link_info.noexecheap = FALSE;
++	}
++      else if (strcmp (optarg, "noexecheap") == 0)
++	{
++	  link_info.noexecheap = TRUE;
++	  link_info.execheap = FALSE;
++	}
+ EOF
+ 
+   if test -n "$COMMONPAGESIZE"; then
+@@ -1978,6 +1988,7 @@
+   fprintf (file, _("  -z combreloc\t\tMerge dynamic relocs into one section and sort\n"));
+   fprintf (file, _("  -z defs\t\tReport unresolved symbols in object files.\n"));
+   fprintf (file, _("  -z execstack\t\tMark executable as requiring executable stack\n"));
++  fprintf (file, _("  -z execheap\t\tMark executable as requiring executable heap\n"));
+   fprintf (file, _("  -z initfirst\t\tMark DSO to be initialized first at runtime\n"));
+   fprintf (file, _("  -z interpose\t\tMark object to interpose all DSOs but executable\n"));
+   fprintf (file, _("  -z lazy\t\tMark object lazy runtime binding (default)\n"));
+@@ -1990,6 +2001,7 @@
+   fprintf (file, _("  -z nodlopen\t\tMark DSO not available to dlopen\n"));
+   fprintf (file, _("  -z nodump\t\tMark DSO not available to dldump\n"));
+   fprintf (file, _("  -z noexecstack\tMark executable as not requiring executable stack\n"));
++  fprintf (file, _("  -z noexecheap\tMark executable as not requiring executable heap\n"));
+ EOF
+ 
+   if test -n "$COMMONPAGESIZE"; then
+diff -ruN binutils-2.17.50.0.10.orig/ld/ldgram.y binutils-2.17.50.0.10/ld/ldgram.y
+--- binutils-2.17.50.0.10.orig/ld/ldgram.y	2006-09-24 17:19:58.000000000 +0200
++++ binutils-2.17.50.0.10/ld/ldgram.y	2007-01-26 16:32:19.000000000 +0100
+@@ -1094,6 +1094,8 @@
+ 			    $$ = exp_intop (0x6474e550);
+ 			  else if (strcmp (s, "PT_GNU_STACK") == 0)
+ 			    $$ = exp_intop (0x6474e551);
++			  else if (strcmp (s, "PT_PAX_FLAGS") == 0)
++			    $$ = exp_intop (0x65041580);
+ 			  else
+ 			    {
+ 			      einfo (_("\

security/paxctl/patches/binutils-2.17.50.0.11-pt_pax.patch

@@ -0,0 +1,260 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/binutils-2.17.50.0.11-pt_pax.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+diff -ruN binutils-2.17.50.0.11.orig/bfd/elf-bfd.h binutils-2.17.50.0.11/bfd/elf-bfd.h
+--- binutils-2.17.50.0.11.orig/bfd/elf-bfd.h	2007-01-26 03:46:07.000000000 +0100
++++ binutils-2.17.50.0.11/bfd/elf-bfd.h	2007-01-26 18:27:30.000000000 +0100
+@@ -1355,6 +1355,9 @@
+   /* Segment flags for the PT_GNU_STACK segment.  */
+   unsigned int stack_flags;
+ 
++  /* Segment flags for the PT_PAX_FLAGS segment.  */
++  unsigned int pax_flags;
++
+   /* Symbol version definitions in external objects.  */
+   Elf_Internal_Verdef *verdef;
+ 
+diff -ruN binutils-2.17.50.0.11.orig/bfd/elf.c binutils-2.17.50.0.11/bfd/elf.c
+--- binutils-2.17.50.0.11.orig/bfd/elf.c	2007-01-26 03:46:08.000000000 +0100
++++ binutils-2.17.50.0.11/bfd/elf.c	2007-01-26 18:27:30.000000000 +0100
+@@ -1109,6 +1109,7 @@
+     case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
+     case PT_GNU_STACK: pt = "STACK"; break;
+     case PT_GNU_RELRO: pt = "RELRO"; break;
++    case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
+     default: pt = NULL; break;
+     }
+   return pt;
+@@ -2683,6 +2684,9 @@
+     case PT_GNU_RELRO:
+       return _bfd_elf_make_section_from_phdr (abfd, hdr, index, "relro");
+ 
++    case PT_PAX_FLAGS:
++      return _bfd_elf_make_section_from_phdr (abfd, hdr, index, "pax_flags");
++
+     default:
+       /* Check for any processor-specific program segment types.  */
+       bed = get_elf_backend_data (abfd);
+@@ -3655,6 +3659,11 @@
+       ++segs;
+     }
+ 
++    {
++      /* We need a PT_PAX_FLAGS segment.  */
++      ++segs;
++    }
++
+   for (s = abfd->sections; s != NULL; s = s->next)
+     {
+       if ((s->flags & SEC_LOAD) != 0
+@@ -4238,6 +4247,20 @@
+ 	  pm = &m->next;
+ 	}
+ 
++    {
++      amt = sizeof (struct elf_segment_map);
++      m = bfd_zalloc (abfd, amt);
++      if (m == NULL)
++	goto error_return;
++      m->next = NULL;
++      m->p_type = PT_PAX_FLAGS;
++      m->p_flags = elf_tdata (abfd)->pax_flags;
++      m->p_flags_valid = 1;
++
++      *pm = m;
++      pm = &m->next;
++    }
++
+       free (sections);
+       elf_tdata (abfd)->segment_map = mfirst;
+     }
+@@ -5408,7 +5431,8 @@
+        6. PT_TLS segment includes only SHF_TLS sections.
+        7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
+        8. PT_DYNAMIC should not contain empty sections at the beginning
+-          (with the possible exception of .dynamic).  */
++          (with the possible exception of .dynamic).
++       9. PT_PAX_FLAGS segments does not include any sections.  */
+ #define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed)		\
+   ((((segment->p_paddr							\
+       ? IS_CONTAINED_BY_LMA (section, segment, segment->p_paddr)	\
+@@ -5416,6 +5440,7 @@
+      && (section->flags & SEC_ALLOC) != 0)				\
+     || IS_COREFILE_NOTE (segment, section))				\
+    && segment->p_type != PT_GNU_STACK					\
++   && segment->p_type != PT_PAX_FLAGS					\
+    && (segment->p_type != PT_TLS					\
+        || (section->flags & SEC_THREAD_LOCAL))				\
+    && (segment->p_type == PT_LOAD					\
+diff -ruN binutils-2.17.50.0.11.orig/bfd/elflink.c binutils-2.17.50.0.11/bfd/elflink.c
+--- binutils-2.17.50.0.11.orig/bfd/elflink.c	2007-01-26 03:46:07.000000000 +0100
++++ binutils-2.17.50.0.11/bfd/elflink.c	2007-01-26 18:27:30.000000000 +0100
+@@ -5291,16 +5291,30 @@
+   if (!is_elf_hash_table (info->hash))
+     return TRUE;
+ 
++  elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
++
++  if (info->execheap)
++    elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
++  else if (info->noexecheap)
++    elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
++
+   if (info->execstack)
+-    elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
++    {
++      elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
++      elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
++    }
+   else if (info->noexecstack)
+-    elf_tdata (output_bfd)->stack_flags = PF_R | PF_W;
++    {
++      elf_tdata (output_bfd)->stack_flags = PF_R | PF_W;
++      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
++    }
+   else
+     {
+       bfd *inputobj;
+       asection *notesec = NULL;
+       int exec = 0;
+ 
++      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
+       for (inputobj = info->input_bfds;
+ 	   inputobj;
+ 	   inputobj = inputobj->link_next)
+@@ -5313,7 +5327,11 @@
+ 	  if (s)
+ 	    {
+ 	      if (s->flags & SEC_CODE)
+-		exec = PF_X;
++		{
++		  elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
++		  elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
++		  exec = PF_X;
++		}
+ 	      notesec = s;
+ 	    }
+ 	  else
+diff -ruN binutils-2.17.50.0.11.orig/binutils/readelf.c binutils-2.17.50.0.11/binutils/readelf.c
+--- binutils-2.17.50.0.11.orig/binutils/readelf.c	2007-01-26 03:46:07.000000000 +0100
++++ binutils-2.17.50.0.11/binutils/readelf.c	2007-01-26 18:27:30.000000000 +0100
+@@ -2442,6 +2442,7 @@
+ 			return "GNU_EH_FRAME";
+     case PT_GNU_STACK:	return "GNU_STACK";
+     case PT_GNU_RELRO:  return "GNU_RELRO";
++    case PT_PAX_FLAGS:  return "PAX_FLAGS";
+ 
+     default:
+       if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
+diff -ruN binutils-2.17.50.0.11.orig/include/bfdlink.h binutils-2.17.50.0.11/include/bfdlink.h
+--- binutils-2.17.50.0.11.orig/include/bfdlink.h	2007-01-26 03:46:07.000000000 +0100
++++ binutils-2.17.50.0.11/include/bfdlink.h	2007-01-26 18:27:30.000000000 +0100
+@@ -320,6 +320,14 @@
+   /* TRUE if PT_GNU_RELRO segment should be created.  */
+   unsigned int relro: 1;
+ 
++  /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
++     flags.  */
++  unsigned int execheap: 1;
++
++  /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
++     flags.  */
++  unsigned int noexecheap: 1;
++
+   /* TRUE if we should warn when adding a DT_TEXTREL to a shared object.  */
+   unsigned int warn_shared_textrel: 1;
+ 
+diff -ruN binutils-2.17.50.0.11.orig/include/elf/common.h binutils-2.17.50.0.11/include/elf/common.h
+--- binutils-2.17.50.0.11.orig/include/elf/common.h	2007-01-26 03:46:08.000000000 +0100
++++ binutils-2.17.50.0.11/include/elf/common.h	2007-01-26 18:27:30.000000000 +0100
+@@ -307,12 +307,29 @@
+ #define PT_GNU_STACK	(PT_LOOS + 0x474e551) /* Stack flags */
+ #define PT_GNU_RELRO	(PT_LOOS + 0x474e552) /* Read-only after relocation */
+ #define PT_GNU_SHR	(PT_LOOS + 0x474e554) /* Sharable segment */
++#define PT_PAX_FLAGS	(PT_LOOS + 0x5041580) /* PaX flags */
+ 
+ /* Program segment permissions, in program header p_flags field.  */
+ 
+ #define PF_X		(1 << 0)	/* Segment is executable */
+ #define PF_W		(1 << 1)	/* Segment is writable */
+ #define PF_R		(1 << 2)	/* Segment is readable */
++
++/* Flags to control PaX behavior.  */
++
++#define PF_PAGEEXEC	(1 << 4)	/* Enable  PAGEEXEC */
++#define PF_NOPAGEEXEC	(1 << 5)	/* Disable PAGEEXEC */
++#define PF_SEGMEXEC	(1 << 6)	/* Enable  SEGMEXEC */
++#define PF_NOSEGMEXEC	(1 << 7)	/* Disable SEGMEXEC */
++#define PF_MPROTECT	(1 << 8)	/* Enable  MPROTECT */
++#define PF_NOMPROTECT	(1 << 9)	/* Disable MPROTECT */
++#define PF_RANDEXEC	(1 << 10)	/* Enable  RANDEXEC */
++#define PF_NORANDEXEC	(1 << 11)	/* Disable RANDEXEC */
++#define PF_EMUTRAMP	(1 << 12)	/* Enable  EMUTRAMP */
++#define PF_NOEMUTRAMP	(1 << 13)	/* Disable EMUTRAMP */
++#define PF_RANDMMAP	(1 << 14)	/* Enable  RANDMMAP */
++#define PF_NORANDMMAP	(1 << 15)	/* Disable RANDMMAP */
++
+ /* #define PF_MASKOS	0x0F000000    *//* OS-specific reserved bits */
+ #define PF_MASKOS	0x0FF00000	/* New value, Oct 4, 1999 Draft */
+ #define PF_MASKPROC	0xF0000000	/* Processor-specific reserved bits */
+diff -ruN binutils-2.17.50.0.11.orig/ld/emultempl/elf32.em binutils-2.17.50.0.11/ld/emultempl/elf32.em
+--- binutils-2.17.50.0.11.orig/ld/emultempl/elf32.em	2007-01-26 03:46:08.000000000 +0100
++++ binutils-2.17.50.0.11/ld/emultempl/elf32.em	2007-01-26 18:27:30.000000000 +0100
+@@ -1905,6 +1905,16 @@
+ 	  link_info.noexecstack = TRUE;
+ 	  link_info.execstack = FALSE;
+ 	}
++      else if (strcmp (optarg, "execheap") == 0)
++	{
++	  link_info.execheap = TRUE;
++	  link_info.noexecheap = FALSE;
++	}
++      else if (strcmp (optarg, "noexecheap") == 0)
++	{
++	  link_info.noexecheap = TRUE;
++	  link_info.execheap = FALSE;
++	}
+ EOF
+ 
+   if test -n "$COMMONPAGESIZE"; then
+@@ -1977,6 +1987,7 @@
+   fprintf (file, _("  -z combreloc\t\tMerge dynamic relocs into one section and sort\n"));
+   fprintf (file, _("  -z defs\t\tReport unresolved symbols in object files.\n"));
+   fprintf (file, _("  -z execstack\t\tMark executable as requiring executable stack\n"));
++  fprintf (file, _("  -z execheap\t\tMark executable as requiring executable heap\n"));
+   fprintf (file, _("  -z initfirst\t\tMark DSO to be initialized first at runtime\n"));
+   fprintf (file, _("  -z interpose\t\tMark object to interpose all DSOs but executable\n"));
+   fprintf (file, _("  -z lazy\t\tMark object lazy runtime binding (default)\n"));
+@@ -1989,6 +2000,7 @@
+   fprintf (file, _("  -z nodlopen\t\tMark DSO not available to dlopen\n"));
+   fprintf (file, _("  -z nodump\t\tMark DSO not available to dldump\n"));
+   fprintf (file, _("  -z noexecstack\tMark executable as not requiring executable stack\n"));
++  fprintf (file, _("  -z noexecheap\tMark executable as not requiring executable heap\n"));
+ EOF
+ 
+   if test -n "$COMMONPAGESIZE"; then
+diff -ruN binutils-2.17.50.0.11.orig/ld/ldgram.y binutils-2.17.50.0.11/ld/ldgram.y
+--- binutils-2.17.50.0.11.orig/ld/ldgram.y	2007-01-26 03:45:24.000000000 +0100
++++ binutils-2.17.50.0.11/ld/ldgram.y	2007-01-26 18:27:30.000000000 +0100
+@@ -1093,6 +1093,8 @@
+ 			    $$ = exp_intop (0x6474e550);
+ 			  else if (strcmp (s, "PT_GNU_STACK") == 0)
+ 			    $$ = exp_intop (0x6474e551);
++			  else if (strcmp (s, "PT_PAX_FLAGS") == 0)
++			    $$ = exp_intop (0x65041580);
+ 			  else
+ 			    {
+ 			      einfo (_("\

security/paxctl/patches/binutils-2.17.50.0.18.pt_pax.patch

@@ -0,0 +1,271 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/binutils-2.17.50.0.18.pt_pax.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
+index aa4d44d..00f3df0 100644
+--- a/bfd/elf-bfd.h
++++ b/bfd/elf-bfd.h
+@@ -1428,6 +1428,9 @@ struct elf_obj_tdata
+   /* Segment flags for the PT_GNU_STACK segment.  */
+   unsigned int stack_flags;
+ 
++  /* Segment flags for the PT_PAX_FLAGS segment.  */
++  unsigned int pax_flags;
++
+   /* Symbol version definitions in external objects.  */
+   Elf_Internal_Verdef *verdef;
+ 
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 37b1254..84bcb35 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -1085,6 +1085,7 @@ get_segment_type (unsigned int p_type)
+     case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
+     case PT_GNU_STACK: pt = "STACK"; break;
+     case PT_GNU_RELRO: pt = "RELRO"; break;
++    case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
+     default: pt = NULL; break;
+     }
+   return pt;
+@@ -2346,6 +2347,9 @@ bfd_section_from_phdr (bfd *abfd, Elf_Internal_Phdr *hdr, int index)
+     case PT_GNU_RELRO:
+       return _bfd_elf_make_section_from_phdr (abfd, hdr, index, "relro");
+ 
++    case PT_PAX_FLAGS:
++      return _bfd_elf_make_section_from_phdr (abfd, hdr, index, "pax_flags");
++
+     default:
+       /* Check for any processor-specific program segment types.  */
+       bed = get_elf_backend_data (abfd);
+@@ -3326,6 +3330,11 @@ get_program_header_size (bfd *abfd, struct bfd_link_info *info)
+       ++segs;
+     }
+ 
++    {
++      /* We need a PT_PAX_FLAGS segment.  */
++      ++segs;
++    }
++
+   for (s = abfd->sections; s != NULL; s = s->next)
+     {
+       if ((s->flags & SEC_LOAD) != 0
+@@ -3945,6 +3954,20 @@ _bfd_elf_map_sections_to_segments (bfd *abfd, struct bfd_link_info *info)
+ 	  pm = &m->next;
+ 	}
+ 
++	{
++	  amt = sizeof (struct elf_segment_map);
++	  m = bfd_zalloc (abfd, amt);
++	  if (m == NULL)
++	    goto error_return;
++	  m->next = NULL;
++	  m->p_type = PT_PAX_FLAGS;
++	  m->p_flags = elf_tdata (abfd)->pax_flags;
++	  m->p_flags_valid = 1;
++
++	  *pm = m;
++	  pm = &m->next;
++	}
++
+       free (sections);
+       elf_tdata (abfd)->segment_map = mfirst;
+     }
+@@ -5130,7 +5153,8 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd,
+        6. PT_TLS segment includes only SHF_TLS sections.
+        7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
+        8. PT_DYNAMIC should not contain empty sections at the beginning
+-	  (with the possible exception of .dynamic).  */
++	  (with the possible exception of .dynamic).
++       9. PT_PAX_FLAGS segments do not include any sections.  */
+ #define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed)		\
+   ((((segment->p_paddr							\
+       ? IS_CONTAINED_BY_LMA (section, segment, segment->p_paddr)	\
+@@ -5138,6 +5162,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd,
+      && (section->flags & SEC_ALLOC) != 0)				\
+     || IS_COREFILE_NOTE (segment, section))				\
+    && segment->p_type != PT_GNU_STACK					\
++   && segment->p_type != PT_PAX_FLAGS					\
+    && (segment->p_type != PT_TLS					\
+        || (section->flags & SEC_THREAD_LOCAL))				\
+    && (segment->p_type == PT_LOAD					\
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 48ff628..e1c49f8 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -5387,17 +5387,32 @@ bfd_elf_size_dynamic_sections (bfd *output_bfd,
+   if (!is_elf_hash_table (info->hash))
+     return TRUE;
+ 
++  elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
++
++  if (info->execheap)
++    elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
++  else if (info->noexecheap)
++    elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
++
+   bed = get_elf_backend_data (output_bfd);
+   if (info->execstack)
+-    elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
++    {
++      elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
++      elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
++    }
+   else if (info->noexecstack)
+-    elf_tdata (output_bfd)->stack_flags = PF_R | PF_W;
++    {
++      elf_tdata (output_bfd)->stack_flags = PF_R | PF_W;
++      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
++    }
+   else
+     {
+       bfd *inputobj;
+       asection *notesec = NULL;
+       int exec = 0;
+ 
++      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
++
+       for (inputobj = info->input_bfds;
+ 	   inputobj;
+ 	   inputobj = inputobj->link_next)
+@@ -5410,7 +5425,11 @@ bfd_elf_size_dynamic_sections (bfd *output_bfd,
+ 	  if (s)
+ 	    {
+ 	      if (s->flags & SEC_CODE)
+-		exec = PF_X;
++		{
++		  elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
++		  elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
++	 	  exec = PF_X;
++		}
+ 	      notesec = s;
+ 	    }
+ 	  else if (bed->default_execstack)
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 5a8cd2d..fe39af4 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -2472,6 +2472,7 @@ get_segment_type (unsigned long p_type)
+ 			return "GNU_EH_FRAME";
+     case PT_GNU_STACK:	return "GNU_STACK";
+     case PT_GNU_RELRO:  return "GNU_RELRO";
++    case PT_PAX_FLAGS:  return "PAX_FLAGS";
+ 
+     default:
+       if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
+diff --git a/include/bfdlink.h b/include/bfdlink.h
+index 05824ed..52988cb 100644
+--- a/include/bfdlink.h
++++ b/include/bfdlink.h
+@@ -321,6 +321,14 @@ struct bfd_link_info
+   /* TRUE if PT_GNU_RELRO segment should be created.  */
+   unsigned int relro: 1;
+ 
++  /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
++     flags.  */
++  unsigned int execheap: 1;
++
++  /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
++     flags.  */
++  unsigned int noexecheap: 1;
++
+   /* TRUE if we should warn when adding a DT_TEXTREL to a shared object.  */
+   unsigned int warn_shared_textrel: 1;
+ 
+diff --git a/include/elf/common.h b/include/elf/common.h
+index 13b4857..7271d2c 100644
+--- a/include/elf/common.h
++++ b/include/elf/common.h
+@@ -310,12 +310,30 @@
+ #define PT_GNU_STACK	(PT_LOOS + 0x474e551) /* Stack flags */
+ #define PT_GNU_RELRO	(PT_LOOS + 0x474e552) /* Read-only after relocation */
+ #define PT_GNU_SHR	(PT_LOOS + 0x474e554) /* Sharable segment */
++#define PT_PAX_FLAGS	(PT_LOOS + 0x5041580) /* PaX flags */
+ 
+ /* Program segment permissions, in program header p_flags field.  */
+ 
+ #define PF_X		(1 << 0)	/* Segment is executable */
+ #define PF_W		(1 << 1)	/* Segment is writable */
+ #define PF_R		(1 << 2)	/* Segment is readable */
++
++
++/* Flags to control PaX behavior.  */
++
++#define PF_PAGEEXEC	(1 << 4)	/* Enable  PAGEEXEC */
++#define PF_NOPAGEEXEC	(1 << 5)	/* Disable PAGEEXEC */
++#define PF_SEGMEXEC	(1 << 6)	/* Enable  SEGMEXEC */
++#define PF_NOSEGMEXEC	(1 << 7)	/* Disable SEGMEXEC */
++#define PF_MPROTECT	(1 << 8)	/* Enable  MPROTECT */
++#define PF_NOMPROTECT	(1 << 9)	/* Disable MPROTECT */
++#define PF_RANDEXEC	(1 << 10)	/* Enable  RANDEXEC */
++#define PF_NORANDEXEC	(1 << 11)	/* Disable RANDEXEC */
++#define PF_EMUTRAMP	(1 << 12)	/* Enable  EMUTRAMP */
++#define PF_NOEMUTRAMP	(1 << 13)	/* Disable EMUTRAMP */
++#define PF_RANDMMAP	(1 << 14)	/* Enable  RANDMMAP */
++#define PF_NORANDMMAP	(1 << 15)	/* Disable RANDMMAP */
++
+ /* #define PF_MASKOS	0x0F000000    *//* OS-specific reserved bits */
+ #define PF_MASKOS	0x0FF00000	/* New value, Oct 4, 1999 Draft */
+ #define PF_MASKPROC	0xF0000000	/* Processor-specific reserved bits */
+diff --git a/ld/emultempl/elf32.em b/ld/emultempl/elf32.em
+index 73f2a1d..53d40b6 100644
+--- a/ld/emultempl/elf32.em
++++ b/ld/emultempl/elf32.em
+@@ -2140,6 +2140,16 @@ fragment <<EOF
+ 	  link_info.noexecstack = TRUE;
+ 	  link_info.execstack = FALSE;
+ 	}
++      else if (strcmp (optarg, "execheap") == 0)
++	{
++	  link_info.execheap = TRUE;
++	  link_info.noexecheap = FALSE;
++	}
++      else if (strcmp (optarg, "noexecheap") == 0)
++	{
++	  link_info.noexecheap = TRUE;
++	  link_info.execheap = FALSE;
++	}
+ EOF
+ 
+   if test -n "$COMMONPAGESIZE"; then
+@@ -2213,6 +2223,7 @@ fragment <<EOF
+   fprintf (file, _("  -z combreloc\t\tMerge dynamic relocs into one section and sort\n"));
+   fprintf (file, _("  -z defs\t\tReport unresolved symbols in object files.\n"));
+   fprintf (file, _("  -z execstack\t\tMark executable as requiring executable stack\n"));
++  fprintf (file, _("  -z execheap\t\tMark executable as requiring executable heap\n"));
+   fprintf (file, _("  -z initfirst\t\tMark DSO to be initialized first at runtime\n"));
+   fprintf (file, _("  -z interpose\t\tMark object to interpose all DSOs but executable\n"));
+   fprintf (file, _("  -z lazy\t\tMark object lazy runtime binding (default)\n"));
+@@ -2225,6 +2236,7 @@ fragment <<EOF
+   fprintf (file, _("  -z nodlopen\t\tMark DSO not available to dlopen\n"));
+   fprintf (file, _("  -z nodump\t\tMark DSO not available to dldump\n"));
+   fprintf (file, _("  -z noexecstack\tMark executable as not requiring executable stack\n"));
++  fprintf (file, _("  -z noexecheap\t\tMark executable as not requiring executable heap\n"));
+ EOF
+ 
+   if test -n "$COMMONPAGESIZE"; then
+diff --git a/ld/ldgram.y b/ld/ldgram.y
+index 5b68b6b..cefb51a 100644
+--- a/ld/ldgram.y
++++ b/ld/ldgram.y
+@@ -1099,6 +1099,8 @@ phdr_type:
+ 			    $$ = exp_intop (0x6474e550);
+ 			  else if (strcmp (s, "PT_GNU_STACK") == 0)
+ 			    $$ = exp_intop (0x6474e551);
++			  else if (strcmp (s, "PT_PAX_FLAGS") == 0)
++			    $$ = exp_intop (0x65041580);
+ 			  else
+ 			    {
+ 			      einfo (_("\

security/paxctl/patches/binutils-2.17.50.0.9-pt_pax.patch

@@ -0,0 +1,261 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/binutils-2.17.50.0.9-pt_pax.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+diff -ruN binutils-2.17.50.0.9.orig/bfd/elf-bfd.h binutils-2.17.50.0.9/bfd/elf-bfd.h
+--- binutils-2.17.50.0.9.orig/bfd/elf-bfd.h	2007-01-03 20:49:13.000000000 +0100
++++ binutils-2.17.50.0.9/bfd/elf-bfd.h	2007-01-14 19:31:18.000000000 +0100
+@@ -1355,6 +1355,9 @@
+   /* Should the PT_GNU_RELRO segment be emitted?  */
+   bfd_boolean relro;
+ 
++  /* Segment flags for the PT_PAX_FLAGS segment.  */
++  unsigned int pax_flags;
++
+   /* Symbol version definitions in external objects.  */
+   Elf_Internal_Verdef *verdef;
+ 
+diff -ruN binutils-2.17.50.0.9.orig/bfd/elf.c binutils-2.17.50.0.9/bfd/elf.c
+--- binutils-2.17.50.0.9.orig/bfd/elf.c	2007-01-03 20:49:13.000000000 +0100
++++ binutils-2.17.50.0.9/bfd/elf.c	2007-01-14 19:31:18.000000000 +0100
+@@ -1109,6 +1109,7 @@
+     case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
+     case PT_GNU_STACK: pt = "STACK"; break;
+     case PT_GNU_RELRO: pt = "RELRO"; break;
++    case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
+     default: pt = NULL; break;
+     }
+   return pt;
+@@ -2679,6 +2680,9 @@
+     case PT_GNU_RELRO:
+       return _bfd_elf_make_section_from_phdr (abfd, hdr, index, "relro");
+ 
++    case PT_PAX_FLAGS:
++      return _bfd_elf_make_section_from_phdr (abfd, hdr, index, "pax_flags");
++
+     default:
+       /* Check for any processor-specific program segment types.  */
+       bed = get_elf_backend_data (abfd);
+@@ -3651,6 +3655,11 @@
+       ++segs;
+     }
+ 
++    {
++      /* We need a PT_PAX_FLAGS segment.  */
++      ++segs;
++    }
++
+   for (s = abfd->sections; s != NULL; s = s->next)
+     {
+       if ((s->flags & SEC_LOAD) != 0
+@@ -4136,6 +4145,20 @@
+ 	  pm = &m->next;
+ 	}
+ 
++    {
++      amt = sizeof (struct elf_segment_map);
++      m = bfd_zalloc (abfd, amt);
++      if (m == NULL)
++	goto error_return;
++      m->next = NULL;
++      m->p_type = PT_PAX_FLAGS;
++      m->p_flags = elf_tdata (abfd)->pax_flags;
++      m->p_flags_valid = 1;
++
++      *pm = m;
++      pm = &m->next;
++    }
++
+       free (sections);
+       elf_tdata (abfd)->segment_map = mfirst;
+     }
+@@ -5263,7 +5286,8 @@
+        6. PT_TLS segment includes only SHF_TLS sections.
+        7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
+        8. PT_DYNAMIC should not contain empty sections at the beginning
+-          (with the possible exception of .dynamic).  */
++          (with the possible exception of .dynamic).
++       9. PT_PAX_FLAGS segments does not include any sections.  */
+ #define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed)		\
+   ((((segment->p_paddr							\
+       ? IS_CONTAINED_BY_LMA (section, segment, segment->p_paddr)	\
+@@ -5271,6 +5295,7 @@
+      && (section->flags & SEC_ALLOC) != 0)				\
+     || IS_COREFILE_NOTE (segment, section))				\
+    && segment->p_type != PT_GNU_STACK					\
++   && segment->p_type != PT_PAX_FLAGS					\
+    && (segment->p_type != PT_TLS					\
+        || (section->flags & SEC_THREAD_LOCAL))				\
+    && (segment->p_type == PT_LOAD					\
+diff -ruN binutils-2.17.50.0.9.orig/bfd/elflink.c binutils-2.17.50.0.9/bfd/elflink.c
+--- binutils-2.17.50.0.9.orig/bfd/elflink.c	2007-01-03 20:49:13.000000000 +0100
++++ binutils-2.17.50.0.9/bfd/elflink.c	2007-01-14 19:31:18.000000000 +0100
+@@ -5221,17 +5221,31 @@
+   if (!is_elf_hash_table (info->hash))
+     return TRUE;
+ 
++  elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
++
++  if (info->execheap)
++    elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
++  else if (info->noexecheap)
++    elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
++
+   elf_tdata (output_bfd)->relro = info->relro;
+   if (info->execstack)
+-    elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
++    {
++      elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
++      elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
++    }
+   else if (info->noexecstack)
+-    elf_tdata (output_bfd)->stack_flags = PF_R | PF_W;
++    {
++      elf_tdata (output_bfd)->stack_flags = PF_R | PF_W;
++      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
++    }
+   else
+     {
+       bfd *inputobj;
+       asection *notesec = NULL;
+       int exec = 0;
+ 
++      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
+       for (inputobj = info->input_bfds;
+ 	   inputobj;
+ 	   inputobj = inputobj->link_next)
+@@ -5244,7 +5258,11 @@
+ 	  if (s)
+ 	    {
+ 	      if (s->flags & SEC_CODE)
+-		exec = PF_X;
++		{
++		  elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
++		  elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
++		  exec = PF_X;
++		}
+ 	      notesec = s;
+ 	    }
+ 	  else
+diff -ruN binutils-2.17.50.0.9.orig/binutils/readelf.c binutils-2.17.50.0.9/binutils/readelf.c
+--- binutils-2.17.50.0.9.orig/binutils/readelf.c	2007-01-03 20:49:13.000000000 +0100
++++ binutils-2.17.50.0.9/binutils/readelf.c	2007-01-14 19:31:18.000000000 +0100
+@@ -2441,6 +2441,7 @@
+ 			return "GNU_EH_FRAME";
+     case PT_GNU_STACK:	return "GNU_STACK";
+     case PT_GNU_RELRO:  return "GNU_RELRO";
++    case PT_PAX_FLAGS:  return "PAX_FLAGS";
+ 
+     default:
+       if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
+diff -ruN binutils-2.17.50.0.9.orig/include/bfdlink.h binutils-2.17.50.0.9/include/bfdlink.h
+--- binutils-2.17.50.0.9.orig/include/bfdlink.h	2006-11-27 23:21:04.000000000 +0100
++++ binutils-2.17.50.0.9/include/bfdlink.h	2007-01-14 19:31:18.000000000 +0100
+@@ -320,6 +320,14 @@
+   /* TRUE if PT_GNU_RELRO segment should be created.  */
+   unsigned int relro: 1;
+ 
++  /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
++     flags.  */
++  unsigned int execheap: 1;
++
++  /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
++     flags.  */
++  unsigned int noexecheap: 1;
++
+   /* TRUE if we should warn when adding a DT_TEXTREL to a shared object.  */
+   unsigned int warn_shared_textrel: 1;
+ 
+diff -ruN binutils-2.17.50.0.9.orig/include/elf/common.h binutils-2.17.50.0.9/include/elf/common.h
+--- binutils-2.17.50.0.9.orig/include/elf/common.h	2006-11-27 23:21:04.000000000 +0100
++++ binutils-2.17.50.0.9/include/elf/common.h	2007-01-14 19:31:18.000000000 +0100
+@@ -306,12 +306,29 @@
+ #define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME      /* Solaris uses the same value */
+ #define PT_GNU_STACK	(PT_LOOS + 0x474e551) /* Stack flags */
+ #define PT_GNU_RELRO	(PT_LOOS + 0x474e552) /* Read-only after relocation */
++#define PT_PAX_FLAGS	(PT_LOOS + 0x5041580) /* PaX flags */
+ 
+ /* Program segment permissions, in program header p_flags field.  */
+ 
+ #define PF_X		(1 << 0)	/* Segment is executable */
+ #define PF_W		(1 << 1)	/* Segment is writable */
+ #define PF_R		(1 << 2)	/* Segment is readable */
++
++/* Flags to control PaX behavior.  */
++
++#define PF_PAGEEXEC	(1 << 4)	/* Enable  PAGEEXEC */
++#define PF_NOPAGEEXEC	(1 << 5)	/* Disable PAGEEXEC */
++#define PF_SEGMEXEC	(1 << 6)	/* Enable  SEGMEXEC */
++#define PF_NOSEGMEXEC	(1 << 7)	/* Disable SEGMEXEC */
++#define PF_MPROTECT	(1 << 8)	/* Enable  MPROTECT */
++#define PF_NOMPROTECT	(1 << 9)	/* Disable MPROTECT */
++#define PF_RANDEXEC	(1 << 10)	/* Enable  RANDEXEC */
++#define PF_NORANDEXEC	(1 << 11)	/* Disable RANDEXEC */
++#define PF_EMUTRAMP	(1 << 12)	/* Enable  EMUTRAMP */
++#define PF_NOEMUTRAMP	(1 << 13)	/* Disable EMUTRAMP */
++#define PF_RANDMMAP	(1 << 14)	/* Enable  RANDMMAP */
++#define PF_NORANDMMAP	(1 << 15)	/* Disable RANDMMAP */
++
+ /* #define PF_MASKOS	0x0F000000    *//* OS-specific reserved bits */
+ #define PF_MASKOS	0x0FF00000	/* New value, Oct 4, 1999 Draft */
+ #define PF_MASKPROC	0xF0000000	/* Processor-specific reserved bits */
+diff -ruN binutils-2.17.50.0.9.orig/ld/emultempl/elf32.em binutils-2.17.50.0.9/ld/emultempl/elf32.em
+--- binutils-2.17.50.0.9.orig/ld/emultempl/elf32.em	2007-01-03 20:49:14.000000000 +0100
++++ binutils-2.17.50.0.9/ld/emultempl/elf32.em	2007-01-14 19:31:18.000000000 +0100
+@@ -1898,6 +1898,16 @@
+ 	  link_info.noexecstack = TRUE;
+ 	  link_info.execstack = FALSE;
+ 	}
++      else if (strcmp (optarg, "execheap") == 0)
++	{
++	  link_info.execheap = TRUE;
++	  link_info.noexecheap = FALSE;
++	}
++      else if (strcmp (optarg, "noexecheap") == 0)
++	{
++	  link_info.noexecheap = TRUE;
++	  link_info.execheap = FALSE;
++	}
+ EOF
+ 
+   if test -n "$COMMONPAGESIZE"; then
+@@ -1964,6 +1974,7 @@
+   fprintf (file, _("  -z combreloc\t\tMerge dynamic relocs into one section and sort\n"));
+   fprintf (file, _("  -z defs\t\tReport unresolved symbols in object files.\n"));
+   fprintf (file, _("  -z execstack\t\tMark executable as requiring executable stack\n"));
++  fprintf (file, _("  -z execheap\t\tMark executable as requiring executable heap\n"));
+   fprintf (file, _("  -z initfirst\t\tMark DSO to be initialized first at runtime\n"));
+   fprintf (file, _("  -z interpose\t\tMark object to interpose all DSOs but executable\n"));
+   fprintf (file, _("  -z lazy\t\tMark object lazy runtime binding (default)\n"));
+@@ -1976,6 +1987,7 @@
+   fprintf (file, _("  -z nodlopen\t\tMark DSO not available to dlopen\n"));
+   fprintf (file, _("  -z nodump\t\tMark DSO not available to dldump\n"));
+   fprintf (file, _("  -z noexecstack\tMark executable as not requiring executable stack\n"));
++  fprintf (file, _("  -z noexecheap\tMark executable as not requiring executable heap\n"));
+ EOF
+ 
+   if test -n "$COMMONPAGESIZE"; then
+diff -ruN binutils-2.17.50.0.9.orig/ld/ldgram.y binutils-2.17.50.0.9/ld/ldgram.y
+--- binutils-2.17.50.0.9.orig/ld/ldgram.y	2006-09-24 17:19:58.000000000 +0200
++++ binutils-2.17.50.0.9/ld/ldgram.y	2007-01-14 19:31:18.000000000 +0100
+@@ -1094,6 +1094,8 @@
+ 			    $$ = exp_intop (0x6474e550);
+ 			  else if (strcmp (s, "PT_GNU_STACK") == 0)
+ 			    $$ = exp_intop (0x6474e551);
++			  else if (strcmp (s, "PT_PAX_FLAGS") == 0)
++			    $$ = exp_intop (0x65041580);
+ 			  else
+ 			    {
+ 			      einfo (_("\

security/paxctl/patches/glibc-2.5-dl_execstack_PaX-1.patch

@@ -0,0 +1,85 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/glibc-2.5-dl_execstack_PaX-1.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+Submitted By: Robert Connolly <robert at linuxfromscratch dot org> (ashes)
+Date: 2004-11-13
+Initial Package Version: 2.3.6
+Upstream Status: Submitted - http://sources.redhat.com/bugzilla/show_bug.cgi?id=3332
+Origin: http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/ \
+        sys-libs/glibc/files/2.3.3/glibc-2.3.3-dl_execstack-PaX-support.patch
+Description: This is needed for Pax. http://pax.grsecurity.net/
+
+Also see:
+http://www.linuxfromscratch.org/hlfs/
+
+diff -Naur glibc-2.3.6.orig/sysdeps/unix/sysv/linux/dl-execstack.c glibc-2.3.6/sysdeps/unix/sysv/linux/dl-execstack.c
+--- glibc-2.3.6.orig/sysdeps/unix/sysv/linux/dl-execstack.c	2005-07-18 04:11:19.000000000 +0000
++++ glibc-2.3.6/sysdeps/unix/sysv/linux/dl-execstack.c	2005-11-13 08:50:35.000000000 +0000
+@@ -58,14 +58,20 @@
+ 					__stack_prot) == 0, 1))
+ 	goto return_success;
+ # if __ASSUME_PROT_GROWSUPDOWN == 0
+-      if (errno == EINVAL)
++      if (errno == EINVAL) {
+ 	no_growsupdown = true;
+-      else
++      } else {
+ # endif
++      if (errno == EACCES)		/* PAX is enabled */
++	return 0;
++      else
+ 	{
+ 	  result = errno;
+ 	  goto out;
+ 	}
++# if __ASSUME_PROT_GROWSUPDOWN == 0
++      }
++# endif
+     }
+ #endif
+ 
+@@ -89,11 +95,14 @@
+ 	page -= size;
+       else
+ 	{
+-	  if (errno != ENOMEM)	/* Unexpected failure mode.  */
++	  if (errno == EACCES) {	/* PAX is enabled  */
++	    return 0;
++	  } else if (errno != ENOMEM) { /* Unexpected failure mode.  */
+ 	    {
+ 	      result = errno;
+ 	      goto out;
+ 	    }
++	  }
+ 
+ 	  if (size == GLRO(dl_pagesize))
+ 	    /* We just tried to mprotect the top hole page and failed.
+@@ -115,11 +124,14 @@
+ 	page += size;
+       else
+ 	{
+-	  if (errno != ENOMEM)	/* Unexpected failure mode.  */
++	  if (errno == EACCES) {	/* PAX is enabled */
++	    return 0;
++	  } else if (errno != ENOMEM)  /* Unexpected failure mode.  */
+ 	    {
+ 	      result = errno;
+ 	      goto out;
+ 	    }
++	  }
+ 
+ 	  if (size == GLRO(dl_pagesize))
+ 	    /* We just tried to mprotect the lowest hole page and failed.

security/paxctl/patches/glibc-2.5-iconv_unnest-1.patch

@@ -0,0 +1,106 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/glibc-2.5-iconv_unnest-1.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+Submitted By: Robert Connolly <robert at linuxfromscratch dot org> (ashes)
+Date: 2006-10-11
+Initial Package Version: 2.5
+Upstream Status: Submitted - http://sources.redhat.com/bugzilla/show_bug.cgi?id=3350
+Origin: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/glibc/2.3.5/\
+        4010_all_2.3.5-hardened-iconvconfig-unnest.patch
+Description: Move nested function to a static one so we avoid generating a trampoline.
+
+diff -Naur glibc-2.5.orig/iconv/iconvconfig.c glibc-2.5/iconv/iconvconfig.c
+--- glibc-2.5.orig/iconv/iconvconfig.c	2006-09-21 03:57:30.000000000 +0000
++++ glibc-2.5/iconv/iconvconfig.c	2006-10-11 21:36:18.000000000 +0000
+@@ -1011,6 +1011,38 @@
+                               module name offset
+                          (following last entry with step count 0)
+ */
++
++/* Function to insert the names.  */
++/* Made non-nested to avoid trampoline.
++ * Requires hash_table and hash_size to be made global,
++ * but since the caller (write_output) is called once
++ * in the only thread there should be no problem */
++static struct hash_entry *hash_table;
++static size_t hash_size;
++static void
++name_insert (const void *nodep, VISIT value, int level)
++  {
++    struct name *name;
++    unsigned int idx;
++    unsigned int hval2;
++
++    if (value != leaf && value != postorder)
++      return;
++
++    name = *(struct name **) nodep;
++    idx = name->hashval % hash_size;
++    hval2 = 1 + name->hashval % (hash_size - 2);
++
++    while (hash_table[idx].string_offset != 0)
++      if ((idx += hval2) >= hash_size)
++	idx -= hash_size;
++
++    hash_table[idx].string_offset = strtaboffset (name->strent);
++
++    assert (name->module_idx != -1);
++    hash_table[idx].module_idx = name->module_idx;
++  }
++
+ static int
+ write_output (void)
+ {
+@@ -1018,8 +1050,6 @@
+   char *string_table;
+   size_t string_table_size;
+   struct gconvcache_header header;
+-  struct hash_entry *hash_table;
+-  size_t hash_size;
+   struct module_entry *module_table;
+   char *extra_table;
+   char *cur_extra_table;
+@@ -1032,30 +1062,6 @@
+   char tmpfname[(output_file == NULL ? sizeof finalname : output_file_len + 1)
+ 		+ strlen (".XXXXXX")];
+ 
+-  /* Function to insert the names.  */
+-  auto void
+-  name_insert (const void *nodep, VISIT value, int level)
+-    {
+-      struct name *name;
+-      unsigned int idx;
+-      unsigned int hval2;
+-
+-      if (value != leaf && value != postorder)
+-	return;
+-
+-      name = *(struct name **) nodep;
+-      idx = name->hashval % hash_size;
+-      hval2 = 1 + name->hashval % (hash_size - 2);
+-
+-      while (hash_table[idx].string_offset != 0)
+-	if ((idx += hval2) >= hash_size)
+-	  idx -= hash_size;
+-
+-      hash_table[idx].string_offset = strtaboffset (name->strent);
+-
+-      assert (name->module_idx != -1);
+-      hash_table[idx].module_idx = name->module_idx;
+-    }
+ 
+   /* Open the output file.  */
+   if (output_file == NULL)

security/paxctl/patches/glibc-2.5-localedef_segfault-1.patch

@@ -0,0 +1,74 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/glibc-2.5-localedef_segfault-1.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+Submitted By: Jim Gifford
+Date: 2006-10-10
+Initial Package Version: 2.5
+Origin: Debian
+Upstream Status: Submitted - http://sources.redhat.com/bugzilla/show_bug.cgi?id=3333
+Description: Fixes Segfault when using localdef.
+             This problem is only noticed when using PaX
+             and some architectures besides x86.
+             See debian bug # 231438
+
+Rediffed against Jim Gifford's patch, just to remove fuzz.
+
+diff -Naur glibc-2.5.orig/locale/programs/3level.h glibc-2.5/locale/programs/3level.h
+--- glibc-2.5.orig/locale/programs/3level.h	2005-12-07 05:47:27.000000000 +0000
++++ glibc-2.5/locale/programs/3level.h	2006-10-11 08:05:00.000000000 +0000
+@@ -202,6 +202,42 @@
+ 	}
+     }
+ }
++
++/* GCC ATM seems to do a poor job with pointers to nested functions passed
++   to inlined functions.  Help it a little bit with this hack.  */
++#define wchead_table_iterate(tp, fn) \
++do									      \
++  {									      \
++    struct wchead_table *t = (tp);					      \
++    uint32_t index1;							      \
++    for (index1 = 0; index1 < t->level1_size; index1++)			      \
++      {									      \
++	uint32_t lookup1 = t->level1[index1];				      \
++	if (lookup1 != ((uint32_t) ~0))					      \
++	  {								      \
++	    uint32_t lookup1_shifted = lookup1 << t->q;			      \
++	    uint32_t index2;						      \
++	    for (index2 = 0; index2 < (1 << t->q); index2++)		      \
++	      {								      \
++		uint32_t lookup2 = t->level2[index2 + lookup1_shifted];	      \
++		if (lookup2 != ((uint32_t) ~0))				      \
++		  {							      \
++		    uint32_t lookup2_shifted = lookup2 << t->p;		      \
++		    uint32_t index3;					      \
++		    for (index3 = 0; index3 < (1 << t->p); index3++)	      \
++		      {							      \
++			struct element_t *lookup3			      \
++			  = t->level3[index3 + lookup2_shifted];	      \
++			if (lookup3 != NULL)				      \
++			  fn ((((index1 << t->q) + index2) << t->p) + index3, \
++			      lookup3);					      \
++		      }							      \
++		  }							      \
++	      }								      \
++	  }								      \
++      }									      \
++  } while (0)
++
+ #endif
+ 
+ #ifndef NO_FINALIZE

security/paxctl/patches/glibc-2.5-pt_pax-1.patch

@@ -0,0 +1,56 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/glibc-2.5-pt_pax-1.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+Submitted By: Robert Connolly <robert at linuxfromscratch dot org> (ashes)
+Date: 2006-10-11
+Initial Package Version: 2.5
+Upstream Status: Not submitted - PaX specific. Will not be accepted upstream.
+Origin: http://www.gtlib.cc.gatech.edu/pub/gentoo/gentoo-x86-portage/sys-libs/ \
+        glibc/files/2.3.3/glibc-2.3.3_pre20040117-pt_pax.diff
+Description: This is needed for Pax. http://pax.grsecurity.net/
+Also see:
+http://www.linuxfromscratch.org/hlfs/
+
+diff -Naur glibc-2.5.orig/elf/elf.h glibc-2.5/elf/elf.h
+--- glibc-2.5.orig/elf/elf.h	2006-07-10 21:54:02.000000000 +0000
++++ glibc-2.5/elf/elf.h	2006-10-11 21:30:02.000000000 +0000
+@@ -569,6 +569,7 @@
+ #define PT_GNU_EH_FRAME	0x6474e550	/* GCC .eh_frame_hdr segment */
+ #define PT_GNU_STACK	0x6474e551	/* Indicates stack executability */
+ #define PT_GNU_RELRO	0x6474e552	/* Read-only after relocation */
++#define PT_PAX_FLAGS	0x65041580	/* Indicates PaX flag markings */
+ #define PT_LOSUNW	0x6ffffffa
+ #define PT_SUNWBSS	0x6ffffffa	/* Sun Specific segment */
+ #define PT_SUNWSTACK	0x6ffffffb	/* Stack segment */
+@@ -582,6 +583,18 @@
+ #define PF_X		(1 << 0)	/* Segment is executable */
+ #define PF_W		(1 << 1)	/* Segment is writable */
+ #define PF_R		(1 << 2)	/* Segment is readable */
++#define PF_PAGEEXEC	(1 << 4)	/* Enable  PAGEEXEC */
++#define PF_NOPAGEEXEC	(1 << 5)	/* Disable PAGEEXEC */
++#define PF_SEGMEXEC	(1 << 6)	/* Enable  SEGMEXEC */
++#define PF_NOSEGMEXEC	(1 << 7)	/* Disable SEGMEXEC */
++#define PF_MPROTECT	(1 << 8)	/* Enable  MPROTECT */
++#define PF_NOMPROTECT	(1 << 9)	/* Disable MPROTECT */
++#define PF_RANDEXEC	(1 << 10)	/* Enable  RANDEXEC */
++#define PF_NORANDEXEC	(1 << 11)	/* Disable RANDEXEC */
++#define PF_EMUTRAMP	(1 << 12)	/* Enable  EMUTRAMP */
++#define PF_NOEMUTRAMP	(1 << 13)	/* Disable EMUTRAMP */
++#define PF_RANDMMAP	(1 << 14)	/* Enable  RANDMMAP */
++#define PF_NORANDMMAP	(1 << 15)	/* Disable RANDMMAP */
+ #define PF_MASKOS	0x0ff00000	/* OS-specific */
+ #define PF_MASKPROC	0xf0000000	/* Processor-specific */
+ 

security/paxctl/patches/glibc-2.5.1-iconvconfig_trampoline-1.patch

@@ -0,0 +1,113 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/glibc-2.5.1-iconvconfig_trampoline-1.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+Submitted By: Robert Connolly <robert at linuxfromscratch dot org> (ashes)
+Date: 2007-05-05
+Initial Package Version: 2.5
+Upstream Status: Rejected - http://sources.redhat.com/bugzilla/show_bug.cgi?id=3350
+Origin: Fedora's glibc-fedora.patch (via glibc-2.5.90-21)
+Description: Avoid segmentation faults, or kills, on PaX and Exe-Shield kernels,
+             and some non-x86 architectures.
+
+* Fri May  2 2003 Jakub Jelinek <jakub@redhat.com> 2.3.2-34
+  - avoid using trampolines in iconvconfig for now
+
+This patch is also known as:
+local-iconv-fix-trampoline.diff (Debian)
+4010_all_2.3.5-hardened-iconvconfig-unnest.patch (Gentoo)
+
+Also see:
+http://bugs.gentoo.org/show_bug.cgi?id=85718
+
+diff -Naur glibc-2.5.orig/iconv/iconvconfig.c glibc-2.5/iconv/iconvconfig.c
+--- glibc-2.5.orig/iconv/iconvconfig.c	2006-09-21 03:57:30.000000000 +0000
++++ glibc-2.5/iconv/iconvconfig.c	2007-05-05 08:28:57.000000000 +0000
+@@ -1011,6 +1011,34 @@
+                               module name offset
+                          (following last entry with step count 0)
+ */
++
++static struct hash_entry *hash_table;
++static size_t hash_size;
++
++/* Function to insert the names.  */
++static void name_insert (const void *nodep, VISIT value, int level)
++{
++  struct name *name;
++  unsigned int idx;
++  unsigned int hval2;
++
++  if (value != leaf && value != postorder)
++    return;
++
++  name = *(struct name **) nodep;
++  idx = name->hashval % hash_size;
++  hval2 = 1 + name->hashval % (hash_size - 2);
++
++  while (hash_table[idx].string_offset != 0)
++    if ((idx += hval2) >= hash_size)
++      idx -= hash_size;
++
++  hash_table[idx].string_offset = strtaboffset (name->strent);
++
++  assert (name->module_idx != -1);
++  hash_table[idx].module_idx = name->module_idx;
++}
++
+ static int
+ write_output (void)
+ {
+@@ -1018,8 +1046,6 @@
+   char *string_table;
+   size_t string_table_size;
+   struct gconvcache_header header;
+-  struct hash_entry *hash_table;
+-  size_t hash_size;
+   struct module_entry *module_table;
+   char *extra_table;
+   char *cur_extra_table;
+@@ -1032,31 +1058,6 @@
+   char tmpfname[(output_file == NULL ? sizeof finalname : output_file_len + 1)
+ 		+ strlen (".XXXXXX")];
+ 
+-  /* Function to insert the names.  */
+-  auto void
+-  name_insert (const void *nodep, VISIT value, int level)
+-    {
+-      struct name *name;
+-      unsigned int idx;
+-      unsigned int hval2;
+-
+-      if (value != leaf && value != postorder)
+-	return;
+-
+-      name = *(struct name **) nodep;
+-      idx = name->hashval % hash_size;
+-      hval2 = 1 + name->hashval % (hash_size - 2);
+-
+-      while (hash_table[idx].string_offset != 0)
+-	if ((idx += hval2) >= hash_size)
+-	  idx -= hash_size;
+-
+-      hash_table[idx].string_offset = strtaboffset (name->strent);
+-
+-      assert (name->module_idx != -1);
+-      hash_table[idx].module_idx = name->module_idx;
+-    }
+-
+   /* Open the output file.  */
+   if (output_file == NULL)
+     {

security/paxctl/patches/glibc-2.5.1-localedef_trampoline-1.patch

@@ -0,0 +1,80 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/glibc-2.5.1-localedef_trampoline-1.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+Submitted By: Robert Connolly <robert at linuxfromscratch dot org> (ashes)
+Date: 2007-05-05
+Initial Package Version: 2.5
+Upstream Status: Rejected - http://sources.redhat.com/bugzilla/show_bug.cgi?id=3333
+Origin: Fedora's glibc-fedora.patch (via glibc-2.5.90-21)
+Description: Avoid segmentation faults, or kills, on PaX and Exe-Shield kernels,
+             and some non-x86 architectures.
+
+* Sun Jun 01 2003 Jakub Jelinek <jakub@redhat.com> 2.3.2-46
+  - avoid using trampolines in localedef
+
+This patch is also known as:
+local-localedef-fix-trampoline.diff (Debian)
+1040_all_2.3.3-localedef-fix-trampoline.patch (Gentoo)
+
+Also see:
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=231438
+
+diff -Naur glibc-2.5.orig/locale/programs/3level.h glibc-2.5/locale/programs/3level.h
+--- glibc-2.5.orig/locale/programs/3level.h	2005-12-07 05:47:27.000000000 +0000
++++ glibc-2.5/locale/programs/3level.h	2006-10-11 08:05:00.000000000 +0000
+@@ -202,6 +202,42 @@
+ 	}
+     }
+ }
++
++/* GCC ATM seems to do a poor job with pointers to nested functions passed
++   to inlined functions.  Help it a little bit with this hack.  */
++#define wchead_table_iterate(tp, fn) \
++do									      \
++  {									      \
++    struct wchead_table *t = (tp);					      \
++    uint32_t index1;							      \
++    for (index1 = 0; index1 < t->level1_size; index1++)			      \
++      {									      \
++	uint32_t lookup1 = t->level1[index1];				      \
++	if (lookup1 != ((uint32_t) ~0))					      \
++	  {								      \
++	    uint32_t lookup1_shifted = lookup1 << t->q;			      \
++	    uint32_t index2;						      \
++	    for (index2 = 0; index2 < (1 << t->q); index2++)		      \
++	      {								      \
++		uint32_t lookup2 = t->level2[index2 + lookup1_shifted];	      \
++		if (lookup2 != ((uint32_t) ~0))				      \
++		  {							      \
++		    uint32_t lookup2_shifted = lookup2 << t->p;		      \
++		    uint32_t index3;					      \
++		    for (index3 = 0; index3 < (1 << t->p); index3++)	      \
++		      {							      \
++			struct element_t *lookup3			      \
++			  = t->level3[index3 + lookup2_shifted];	      \
++			if (lookup3 != NULL)				      \
++			  fn ((((index1 << t->q) + index2) << t->p) + index3, \
++			      lookup3);					      \
++		      }							      \
++		  }							      \
++	      }								      \
++	  }								      \
++      }									      \
++  } while (0)
++
+ #endif
+ 
+ #ifndef NO_FINALIZE

security/paxctl/patches/glibc-2.5.1-pt_pax-1.patch

@@ -0,0 +1,56 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/patches/glibc-2.5.1-pt_pax-1.patch
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+Submitted By: Robert Connolly <robert at linuxfromscratch dot org> (ashes)
+Date: 2006-10-11
+Initial Package Version: 2.5
+Upstream Status: Not submitted - PaX specific. Will not be accepted upstream.
+Origin: http://www.gtlib.cc.gatech.edu/pub/gentoo/gentoo-x86-portage/sys-libs/ \
+        glibc/files/2.3.3/glibc-2.3.3_pre20040117-pt_pax.diff
+Description: This is needed for Pax. http://pax.grsecurity.net/
+Also see:
+http://www.linuxfromscratch.org/hlfs/
+
+diff -Naur glibc-2.5.orig/elf/elf.h glibc-2.5/elf/elf.h
+--- glibc-2.5.orig/elf/elf.h	2006-07-10 21:54:02.000000000 +0000
++++ glibc-2.5/elf/elf.h	2006-10-11 21:30:02.000000000 +0000
+@@ -569,6 +569,7 @@
+ #define PT_GNU_EH_FRAME	0x6474e550	/* GCC .eh_frame_hdr segment */
+ #define PT_GNU_STACK	0x6474e551	/* Indicates stack executability */
+ #define PT_GNU_RELRO	0x6474e552	/* Read-only after relocation */
++#define PT_PAX_FLAGS	0x65041580	/* Indicates PaX flag markings */
+ #define PT_LOSUNW	0x6ffffffa
+ #define PT_SUNWBSS	0x6ffffffa	/* Sun Specific segment */
+ #define PT_SUNWSTACK	0x6ffffffb	/* Stack segment */
+@@ -582,6 +583,18 @@
+ #define PF_X		(1 << 0)	/* Segment is executable */
+ #define PF_W		(1 << 1)	/* Segment is writable */
+ #define PF_R		(1 << 2)	/* Segment is readable */
++#define PF_PAGEEXEC	(1 << 4)	/* Enable  PAGEEXEC */
++#define PF_NOPAGEEXEC	(1 << 5)	/* Disable PAGEEXEC */
++#define PF_SEGMEXEC	(1 << 6)	/* Enable  SEGMEXEC */
++#define PF_NOSEGMEXEC	(1 << 7)	/* Disable SEGMEXEC */
++#define PF_MPROTECT	(1 << 8)	/* Enable  MPROTECT */
++#define PF_NOMPROTECT	(1 << 9)	/* Disable MPROTECT */
++#define PF_RANDEXEC	(1 << 10)	/* Enable  RANDEXEC */
++#define PF_NORANDEXEC	(1 << 11)	/* Disable RANDEXEC */
++#define PF_EMUTRAMP	(1 << 12)	/* Enable  EMUTRAMP */
++#define PF_NOEMUTRAMP	(1 << 13)	/* Disable EMUTRAMP */
++#define PF_RANDMMAP	(1 << 14)	/* Enable  RANDMMAP */
++#define PF_NORANDMMAP	(1 << 15)	/* Disable RANDMMAP */
+ #define PF_MASKOS	0x0ff00000	/* OS-specific */
+ #define PF_MASKPROC	0xf0000000	/* Processor-specific */
+ 

security/paxctl/paxctl.cache

@@ -0,0 +1,8 @@
+paxctl: sbin/paxctl
+paxctl: usr/share/man/man1/paxctl.1
+paxctl: var/adm/cksums/paxctl
+paxctl: var/adm/dependencies/paxctl
+paxctl: var/adm/descs/paxctl
+paxctl: var/adm/flists/paxctl
+paxctl: var/adm/md5sums/paxctl
+paxctl: var/adm/packages/paxctl

security/paxctl/paxctl.desc

@@ -0,0 +1,43 @@
+[COPY] --- SDE-COPYRIGHT-NOTE-BEGIN ---
+[COPY] This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+[COPY]
+[COPY] Filename: package/.../paxctl/paxctl.desc
+[COPY] Copyright (C) 2007 - 2008 The OpenSDE Project
+[COPY]
+[COPY] More information can be found in the files COPYING and README.
+[COPY]
+[COPY] This program is free software; you can redistribute it and/or modify
+[COPY] it under the terms of the GNU General Public License as published by
+[COPY] the Free Software Foundation; version 2 of the License. A copy of the
+[COPY] GNU General Public License can be found in the file COPYING.
+[COPY] --- SDE-COPYRIGHT-NOTE-END ---
+
+[I] A user-space utility to control PaX flags
+
+[T] paxctl is a tool that allows PaX flags to be modified on a per-binary basis.
+[T] PaX is part of common security-enhancing kernel patches like grsecurity and
+[T] RSBAC. Your system needs to be running a properly patched and configured
+[T] kernel for this program to have any effect.
+[T] The PaX patch for the Linux kernel provides two ways to harden a system:
+[T] 1. Address Space Layout Randomization (ASLR), which provides randomization
+[T]    of the addressing scheme of all data loaded into memory.
+[T]    When an application is built as a Position Independent Executable (PIE),
+[T]    PaX is also able to randomize the addresses of the application base
+[T]    additionally. 
+[T] 2. Non-Executable Memory, which prevents a common form of attack where
+[T]    executable code is inserted into memory by an attacker.
+
+[U] http://pax.grsecurity.net
+
+[A] The PaX Team <pageexec@freemail.hu>
+[M] Christian Wiese <morfoh@opensde.org>
+
+[C] extra/security
+
+[L] OpenSource
+[S] Stable
+[V] 0.5
+[P] X -----5---9 110.000
+
+[D] 1979315920 paxctl-0.5.tar.gz http://pax.grsecurity.net/
+[D] 3048938916 pax-linux-2.6.24.4-test37.patch http://grsecurity.net/test/

security/paxctl/pkg_linux-header_post.conf

@@ -0,0 +1,15 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/pkg_linux-header_post.conf
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License. A copy of the
+# GNU General Public License can be found in the file COPYING.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+. $base/package/*/paxctl/pkg_linux_post.conf

security/paxctl/pkg_linux26_post.conf

@@ -0,0 +1,15 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/pkg_linux26_post.conf
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License. A copy of the
+# GNU General Public License can be found in the file COPYING.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+. $base/package/*/paxctl/pkg_linux_post.conf

security/paxctl/pkg_linux_post.conf

@@ -0,0 +1,28 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../paxctl/pkg_linux_post.conf
+# Copyright (C) 2008 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License. A copy of the
+# GNU General Public License can be found in the file COPYING.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+# just include the PaX patch if grsecurity and rsbac are not enabled
+# because they include it yet
+if ! pkginstalled grsecurity && ! pkginstalled rsbac ; then
+	pkg_pax_confdir=$base/package/*/paxctl
+	pkg_pax_lxpatch=`match_source_file -p pax-linux-${ver:0:3} paxctl`
+	pax_ver=${pkg_pax_lxpatch%.patch} pax_ver=${pax_ver#*linux-}
+
+	# manualy adjusting EXTRAVERSION
+	hook_add postpatch 5 "lx_extraversion=\$lx_extraversion-pax"
+
+	echo_status "Including PaX support ($pax_ver)"
+	var_append patchfiles ' ' "$pkg_pax_lxpatch"
+	var_append lx_confmerge  ' ' "$pkg_pax_confdir/kernel-pax.config.in"
+fi