@@ -4798,7 +4798,7 @@ CONFIG_SQUASHFS_FILE_CACHE=y

 CONFIG_SQUASHFS_DECOMP_SINGLE=y

 # CONFIG_SQUASHFS_DECOMP_MULTI is not set

 # CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set

-# CONFIG_SQUASHFS_XATTR is not set

+CONFIG_SQUASHFS_XATTR=y

 CONFIG_SQUASHFS_ZLIB=y

 # CONFIG_SQUASHFS_LZ4 is not set

 CONFIG_SQUASHFS_LZO=y

@@ -4960,9 +4960,9 @@ CONFIG_IO_WQ=y

 #

 CONFIG_PAX=y

 CONFIG_PAX_NOWRITEEXEC=y

-# CONFIG_PAX_EMUTRAMP is not set

-CONFIG_EXECSTACK_DISABLED=y

+CONFIG_PAX_EMUTRAMP=y

 CONFIG_PAX_MPROTECT=y

+CONFIG_PAX_XATTR_PAX_FLAGS=y

 CONFIG_PAX_RAP=y

 CONFIG_KEYS=y

 # CONFIG_KEYS_REQUEST_CACHE is not set

@@ -16,7 +16,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        6.1.28

-Release:        4%{?kat_build:.kat}%{?dist}

+Release:        5%{?kat_build:.kat}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org

 Group:          System Environment/Kernel

@@ -170,6 +170,9 @@ Requires(pre):    (coreutils or coreutils-selinux)

 Requires(preun):  (coreutils or coreutils-selinux)

 Requires(post):   (coreutils or coreutils-selinux)

 Requires(postun): (coreutils or coreutils-selinux)

+# Linux-secure handles user.pax.flags extended attribute

+# User must have setfattr/getfattr tools available

+Requires: attr

 %description

 Security hardened Linux kernel.

@@ -411,6 +414,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 %endif

 %changelog

+* Wed Nov 22 2023 Alexey Makhalov <amakhalov@vmware.com> 6.1.28-5

+- PaX: Support xattr 'em' file markings

 * Sun Nov 19 2023 Shreenidhi Shedi <sshedi@vmware.com> 6.1.28-4

 - Bump version as a part of openssl upgrade

 * Tue Oct 03 2023 Kuntal Nayak <nkunal@vmware.com> 6.1.28-3

@@ -1,26 +1,97 @@

-From 2f81e15c64fe8ad3732a71fbf1e4053842e6e1b7 Mon Sep 17 00:00:00 2001

+From a4ee0450bab7b133270e99ab236c8996df457178 Mon Sep 17 00:00:00 2001

 From: Alexey Makhalov <amakhalov@vmware.com>

 Date: Fri, 3 Feb 2017 07:10:18 -0800

-Subject: [PATCH 2/6] NOWRITEEXEC and PAX features: MPROTECT, EMUTRAMP

+Subject: [PATCH] NOWRITEEXEC and PAX features: MPROTECT, EMUTRAMP

+NOWRITEEXEC: Is an implementation of userspace W^X memory protection policy.

+W^X is a security feature in operating systems and virtual machines. It is

+a memory protection policy whereby every page in a process's or kernel's

+address space may be either writable or executable, but not both. Without

+such protection, a program can write (as data "W") CPU instructions in an

+area of memory intended for data and then run (as executable "X"; or

+read-execute "RX") those instructions. This can be dangerous if the writer

+of the memory is malicious. W^X is the Unix-like terminology for a strict

+use of the general concept of executable space protection, controlled via

+the mprotect system call. Kernel space was already W^X protected by NX

+feature. NOWRITEEXEC implements similar protection for userspace processes.

+

+NOWRITEEXEC disallow ELF program headers with WE (write and execute)

+properties set at the same time. In addition NOWRITEEXEC forbids any mappings

+(anonymous or file backed) to be both writable and executable.

+

+All modern toolchain and compilers generate ELF binaries with R, RW, RE flags

+only. There is an exception where GNU_STACK may have RWE. Some programs and

+libraries that for one reason or another attempt to execute special small code

+snippets from stack which is disallowed to be executable by NOWRITEEXEC. Most

+notable examples are the signal handler return code generated by the kernel

+itself and the GCC trampolines. To make those binaries happy, PaX introduced

+trampolines emulation (EMUTRAMP), where kernel traps on stack execution and

+emulates known sequence of instruction. For unknown pattern it faults with

+W^X violation error.

+

+MPROTECT: Enabling this option will prevent programs from

+ - changing the executable status of memory pages that were not originally

+   created as executable,

+ - making read-only executable pages writable again,

+ - creating executable pages from anonymous memory,

+ - making read-only-after-relocations (RELRO) data pages writable again.

+

+Enabling this option will prevent the injection and execution of 'foreign'

+code in a program. This will also break programs that rely on the old

+behaviour and expect that dynamically allocated memory via the malloc()

+family of functions is executable (which it is not). Notable examples are

+the XFree86 4.x server, the java runtime and wine.

+

+PAX_XATTR_PAX_FLAGS: filesystem extended attributes marking.

+Enabling this option will allow you to control PaX features on a per

+executable basis via the 'setfattr' utility.  The control flags will

+be read from the user.pax.flags extended attribute of the file. The main

+drawback is that extended attributes are not supported by some filesystems

+(e.g., isofs, udf, vfat) so copying files through such filesystems will lose

+the extended attributes and these PaX markings. If you enable none of the

+marking options then all applications will run with PaX enabled on them by

+default.

+

+Supported markings:

+ e - EMUTRAMP disabled. Executable stack disallowed.

+ E - EMUTRAMP enabled. Executable stack disallowed but emulated.

+ m - MPROTECT disabled. WE mappings are allowed. Security risk!

+ M - MPROTECT enabled. W^E policy is in place for all userspace mappings.

+Default PaX control setings:

+ "eM" - for most applications

+ "EM" - for applications with RWE stack.

+

+Per file markings can be set using setfattr tool. Example of disabling

+MPROTECT for java binary:

+setfattr -n user.pax.flags -v "em" /usr/lib/jvm/OpenJDK-17/bin/java

+

+Current process settings can be fetched from /proc/<pid>/status.

+

+URL: https://en.wikipedia.org/wiki/W^X

+URL: https://lwn.net/Articles/422487/

+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>

 Signed-off-by: Keerthana K <keerthanak@vmware.com>

+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>

 ---

- arch/x86/mm/fault.c      | 218 +++++++++++++++++++++++++++++++++++++++

- fs/binfmt_elf.c          |  70 +++++++++++++

- fs/exec.c                |   5 +

- include/linux/binfmts.h  |   3 +

- include/linux/elf.h      |   2 +

- include/linux/mm_types.h |   3 +

- include/linux/sched.h    |   2 +

- include/uapi/linux/elf.h |   2 +

- ipc/shm.c                |   3 +

- mm/mmap.c                |  25 +++++

- mm/mprotect.c            |  13 +++

- security/Kconfig         |  78 ++++++++++++++

- 12 files changed, 424 insertions(+)

+ arch/x86/mm/fault.c        | 218 +++++++++++++++++++++++++++++++++++++

+ fs/binfmt_elf.c            | 149 +++++++++++++++++++++++++

+ fs/exec.c                  |   6 +

+ fs/proc/array.c            |  18 +++

+ include/linux/binfmts.h    |   3 +

+ include/linux/elf.h        |   2 +

+ include/linux/mm_types.h   |   3 +

+ include/linux/sched.h      |   3 +

+ include/uapi/linux/elf.h   |   2 +

+ include/uapi/linux/xattr.h |   5 +

+ ipc/shm.c                  |   4 +

+ mm/mmap.c                  |  26 +++++

+ mm/mprotect.c              |  13 +++

+ mm/shmem.c                 |  37 +++++++

+ security/Kconfig           |  91 ++++++++++++++++

+ 15 files changed, 580 insertions(+)

 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c

-index fa71a5d12..ce8af675a 100644

+index 7b0d4ab89..9a58c2507 100644

 --- a/arch/x86/mm/fault.c

 +++ b/arch/x86/mm/fault.c

 @@ -166,6 +166,11 @@ is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)

@@ -35,7 +106,7 @@ index fa71a5d12..ce8af675a 100644

  DEFINE_SPINLOCK(pgd_lock);

  LIST_HEAD(pgd_list);

-@@ -724,6 +729,13 @@ kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code,

+@@ -745,6 +750,13 @@ kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code,

  		 */

  		if (in_interrupt())

  			return;

@@ -49,7 +120,7 @@ index fa71a5d12..ce8af675a 100644

  		/*

  		 * Per the above we're !in_interrupt(), aka. task context.

-@@ -1546,3 +1558,209 @@ DEFINE_IDTENTRY_RAW_ERRORCODE(exc_page_fault)

+@@ -1577,3 +1589,209 @@ DEFINE_IDTENTRY_RAW_ERRORCODE(exc_page_fault)

  	irqentry_exit(regs, state);

  }

@@ -260,7 +331,7 @@ index fa71a5d12..ce8af675a 100644

 +}

 +#endif

 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c

-index 63c7ebb0d..de5cd38cb 100644

+index 444302afc..d9a8f88db 100644

 --- a/fs/binfmt_elf.c

 +++ b/fs/binfmt_elf.c

 @@ -45,6 +45,7 @@

@@ -292,26 +363,109 @@ index 63c7ebb0d..de5cd38cb 100644

  	.min_coredump	= ELF_EXEC_PAGESIZE,

  #endif

  };

-@@ -1006,6 +1014,18 @@ static int load_elf_binary(struct linux_binprm *bprm)

+@@ -821,6 +829,77 @@ static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,

+ 	return ret == -ENOENT ? 0 : ret;

+ }

+ 

++#if defined(CONFIG_PAX_XATTR_PAX_FLAGS)

++static ssize_t pax_getxattr(struct file * const file, void *value, size_t size)

++{

++	struct dentry *dentry = file->f_path.dentry;

++	struct inode *inode = dentry->d_inode;

++	ssize_t error;

++

++	error = inode_permission(file_mnt_user_ns(file), inode, MAY_EXEC);

++	if (error)

++		return error;

++

++	return __vfs_getxattr(dentry, inode, XATTR_NAME_USER_PAX_FLAGS, value, size);

++}

++

++static void pax_parse_xattr_pax(struct file * const file, int *m, int *e)

++{

++

++	ssize_t xattr_size, i;

++	unsigned char xattr_value[sizeof("em") - 1];

++

++	xattr_size = pax_getxattr(file, xattr_value, sizeof xattr_value);

++	if (xattr_size < 0 || xattr_size > sizeof xattr_value)

++		return;

++

++	for (i = 0; i < xattr_size; i++)

++		switch (xattr_value[i]) {

++		case 'm':

++			*m = 0;

++			break;

++		case 'M':

++			*m = MF_PAX_MPROTECT;

++			break;

++		case 'e':

++			*e = 0;

++			break;

++		case 'E':

++			*e = MF_PAX_EMUTRAMP;

++			break;

++		}

++}

++

++static long pax_parse_pax_flags(struct file * const file)

++{

++	int fm = -1, fe = -1;

++	unsigned long pax_flags = current->mm->pax_flags;

++

++	pax_parse_xattr_pax(file, &fm, &fe);

++

++	/* MPROTECT: overwrite from xattr */

++	if (fm != -1) {

++		pax_flags &= ~MF_PAX_MPROTECT;

++		pax_flags |= fm;

++	}

++

++	/* EMUTRAMP: sanity check */

++	if (fe == MF_PAX_EMUTRAMP) {

++		pax_flags |= MF_PAX_EMUTRAMP;

++	} else if (!fe){

++		if (pax_flags & MF_PAX_EMUTRAMP) {

++			pr_err("PAX: %s[%d] needs an executable stack. Can not disable EMUTRAMP. Please fix 'e' bit in "

++					XATTR_NAME_USER_PAX_FLAGS " xattr.",

++					current->comm, task_pid_nr(current));

++			return -EINVAL;

++		}

++	}

++

++	current->mm->pax_flags = pax_flags;

++	return 0;

++}

++#endif

++

+ static int load_elf_binary(struct linux_binprm *bprm)

+ {

+ 	struct file *interpreter = NULL; /* to shut gcc up */

+@@ -1006,6 +1085,23 @@ static int load_elf_binary(struct linux_binprm *bprm)

  	/* Do this immediately, since STACK_TOP as used in setup_arg_pages

  	   may depend on the personality.  */

  	SET_PERSONALITY2(*elf_ex, &arch_state);

-+#if defined(CONFIG_PAX)

-+	current->mm->pax_flags = 0UL;

 +#if defined(CONFIG_PAX_NOWRITEEXEC)

++	/* Enable MPROTECT by default */

++	current->mm->pax_flags = MF_PAX_MPROTECT;

++#if defined(CONFIG_PAX_EMUTRAMP)

++	/* Enable EMUTRAMP if ELF requires executable stack */

 +	if (executable_stack == EXSTACK_ENABLE_X)

 +	{

-+#if defined(CONFIG_PAX_EMUTRAMP)

 +		executable_stack = EXSTACK_DISABLE_X;

 +		current->mm->pax_flags |= MF_PAX_EMUTRAMP;

-+#endif

 +	}

 +#endif

++#if defined(CONFIG_PAX_XATTR_PAX_FLAGS)

++	retval = pax_parse_pax_flags(bprm->file);

++	if (retval < 0)

++		goto out_free_dentry;

++#endif

 +#endif

  	if (elf_read_implies_exec(*elf_ex, executable_stack))

  		current->personality |= READ_IMPLIES_EXEC;

-@@ -2329,6 +2349,56 @@ static int elf_core_dump(struct coredump_params *cprm)

+@@ -2330,6 +2426,59 @@ static int elf_core_dump(struct coredump_params *cprm)

  #endif		/* CONFIG_ELF_CORE */

@@ -330,8 +484,9 @@ index 63c7ebb0d..de5cd38cb 100644

 +	unsigned long i;

 +	unsigned long oldflags;

 +	bool is_relro;

++	loff_t pos;

 +

-+	if (!vma->vm_file)

++	if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT) || !vma->vm_file)

 +		return;

 +

 +	oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);

@@ -343,7 +498,8 @@ index 63c7ebb0d..de5cd38cb 100644

 +	if (!is_relro)

 +		return;

 +

-+	if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||

++	pos = 0UL;

++	if (sizeof(elf_h) != kernel_read(vma->vm_file, (char *)&elf_h, sizeof(elf_h), &pos) ||

 +	    memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||

 +	    (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||

 +	    !elf_check_arch(&elf_h) ||

@@ -352,7 +508,8 @@ index 63c7ebb0d..de5cd38cb 100644

 +		return;

 +

 +	for (i = 0UL; i < elf_h.e_phnum; i++) {

-+		if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))

++		pos = elf_h.e_phoff + i*sizeof(elf_p);

++		if (sizeof(elf_p) != kernel_read(vma->vm_file, (char *)&elf_p, sizeof(elf_p), &pos))

 +			return;

 +		if (elf_p.p_type == PT_GNU_RELRO) {

 +			if (!is_relro)

@@ -369,27 +526,64 @@ index 63c7ebb0d..de5cd38cb 100644

  {

  	register_binfmt(&elf_format);

 diff --git a/fs/exec.c b/fs/exec.c

-index d046dbb9c..61aac7f67 100644

+index a0b1f0337..91925ca79 100644

 --- a/fs/exec.c

 +++ b/fs/exec.c

-@@ -805,7 +805,12 @@ int setup_arg_pages(struct linux_binprm *bprm,

+@@ -807,7 +807,13 @@ int setup_arg_pages(struct linux_binprm *bprm,

  	if (unlikely(executable_stack == EXSTACK_ENABLE_X))

  		vm_flags |= VM_EXEC;

  	else if (executable_stack == EXSTACK_DISABLE_X)

 +	{

  		vm_flags &= ~VM_EXEC;

 +#ifdef CONFIG_PAX_MPROTECT

-+		vm_flags &= ~VM_MAYEXEC;

++		if (mm->pax_flags & MF_PAX_MPROTECT)

++			vm_flags &= ~VM_MAYEXEC;

 +#endif

 +	}

  	vm_flags |= mm->def_flags;

  	vm_flags |= VM_STACK_INCOMPLETE_SETUP;

+diff --git a/fs/proc/array.c b/fs/proc/array.c

+index 49283b810..1ee4742e4 100644

+--- a/fs/proc/array.c

+@@ -428,6 +428,19 @@ static inline void task_thp_status(struct seq_file *m, struct mm_struct *mm)

+ 	seq_printf(m, "THP_enabled:\t%d\n", thp_enabled);

+ }

+ 

++#if defined(CONFIG_PAX_NOWRITEEXEC)

++static inline void task_pax(struct seq_file *m, struct task_struct *p)

++{

++	if (p->mm)

++		seq_printf(m, "PaX:\t%c%c\n",

++			p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',

++			p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm');

++	else

++		seq_printf(m, "PaX:\t--\n");

++}

++#endif

++

++

+ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,

+ 			struct pid *pid, struct task_struct *task)

+ {

+@@ -451,6 +464,11 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,

+ 	task_cpus_allowed(m, task);

+ 	cpuset_task_status_allowed(m, task);

+ 	task_context_switch_counts(m, task);

++

++#if defined(CONFIG_PAX_NOWRITEEXEC)

++	task_pax(m, task);

++#endif

++

+ 	return 0;

+ }

+ 

 diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h

-index 3dc20c4f3..ad06adba2 100644

+index 8d51f69f9..1e2c70230 100644

 --- a/include/linux/binfmts.h

 +++ b/include/linux/binfmts.h

-@@ -89,6 +89,9 @@ struct linux_binfmt {

+@@ -86,6 +86,9 @@ struct linux_binfmt {

  	int (*load_shlib)(struct file *);

  #ifdef CONFIG_COREDUMP

  	int (*core_dump)(struct coredump_params *cprm);

@@ -420,28 +614,29 @@ index c9a46c4e1..8646a6b22 100644

  #endif

 diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h

-index cf97f3884..f5af71d51 100644

+index 247aedb18..8399506d0 100644

 --- a/include/linux/mm_types.h

 +++ b/include/linux/mm_types.h

-@@ -661,6 +661,9 @@ struct mm_struct {

+@@ -684,6 +684,9 @@ struct mm_struct {

  		atomic_long_t hugetlb_usage;

  #endif

  		struct work_struct async_put_work;

-+#if defined(CONFIG_PAX)

-+	unsigned long pax_flags;

++#if defined(CONFIG_PAX_NOWRITEEXEC)

++		unsigned long pax_flags;

 +#endif

  #ifdef CONFIG_IOMMU_SVA

  		u32 pasid;

 diff --git a/include/linux/sched.h b/include/linux/sched.h

-index e7b2f8a5c..0714baf8c 100644

+index ffb6eb55c..7e80d3e6a 100644

 --- a/include/linux/sched.h

 +++ b/include/linux/sched.h

-@@ -1291,6 +1291,8 @@ struct task_struct {

+@@ -1306,6 +1306,9 @@ struct task_struct {

  	unsigned long			numa_pages_migrated;

  #endif /* CONFIG_NUMA_BALANCING */

 +#define MF_PAX_EMUTRAMP		0x02000000	/* Emulate trampolines */

++#define MF_PAX_MPROTECT		0x04000000	/* Restrict mprotect() */

 +

  #ifdef CONFIG_RSEQ

  	struct rseq __user *rseq;

@@ -459,72 +654,89 @@ index c7b056af9..c10d0910e 100644

  #define DT_ENCODING	32

  #define OLD_DT_LOOS	0x60000000

  #define DT_LOOS		0x6000000d

+diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h

+index 9463db2df..d4264c8df 100644

+--- a/include/uapi/linux/xattr.h

+@@ -81,5 +81,10 @@

+ #define XATTR_POSIX_ACL_DEFAULT  "posix_acl_default"

+ #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT

+ 

++/* User namespace */

++#define XATTR_PAX_PREFIX "pax."

++#define XATTR_PAX_FLAGS_SUFFIX "flags"

++#define XATTR_NAME_USER_PAX_FLAGS XATTR_USER_PREFIX XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX

++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX

+ 

+ #endif /* _UAPI_LINUX_XATTR_H */

 diff --git a/ipc/shm.c b/ipc/shm.c

-index b3048ebd5..41ec32df8 100644

+index bd2fcc4d4..ac5e177c2 100644

 --- a/ipc/shm.c

 +++ b/ipc/shm.c

-@@ -1556,6 +1556,9 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,

+@@ -1572,6 +1572,10 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,

  		f_flags = O_RDWR;

  	}

  	if (shmflg & SHM_EXEC) {

-+#ifdef CONFIG_PAX_NOWRITEEXEC

-+		goto out;

++#ifdef CONFIG_PAX_MPROTECT

++		if (current->mm->pax_flags & MF_PAX_MPROTECT)

++			goto out;

 +#endif

  		prot |= PROT_EXEC;

  		acc_mode |= S_IXUGO;

  	}

 diff --git a/mm/mmap.c b/mm/mmap.c

-index 9d780f415..07439b77e 100644

+index 14ca25918..59e5c74f1 100644

 --- a/mm/mmap.c

 +++ b/mm/mmap.c

-@@ -1435,6 +1435,17 @@ unsigned long do_mmap(struct file *file, unsigned long addr,

+@@ -1306,6 +1306,17 @@ unsigned long do_mmap(struct file *file, unsigned long addr,

  	vm_flags = calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) |

  			mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;

-+#ifdef CONFIG_PAX_NOWRITEEXEC

-+	if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))

-+		return -EPERM;

 +#ifdef CONFIG_PAX_MPROTECT

-+	if (!(vm_flags & VM_EXEC))

-+		vm_flags &= ~VM_MAYEXEC;

-+	else

-+		vm_flags &= ~VM_MAYWRITE;

-+#endif

++	if (mm->pax_flags & MF_PAX_MPROTECT) {

++		if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))

++			return -EPERM;

++		if (!(vm_flags & VM_EXEC))

++			vm_flags &= ~VM_MAYEXEC;

++		else

++			vm_flags &= ~VM_MAYWRITE;

++	}

 +#endif

 +

  	if (flags & MAP_LOCKED)

  		if (!can_do_mlock())

  			return -EPERM;

-@@ -2947,6 +2947,9 @@ static int do_brk_flags(struct ma_state *mas, struct vm_area_struct *vma,

+@@ -2974,6 +2985,10 @@ static int do_brk_flags(struct ma_state *mas, struct vm_area_struct *vma,

  	 * Note: This happens *after* clearing old mappings in some code paths.

  	 */

  	flags |= VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;

 +#ifdef CONFIG_PAX_MPROTECT

-+	flags &= ~VM_MAYEXEC;

++	if (mm->pax_flags & MF_PAX_MPROTECT)

++		flags &= ~VM_MAYEXEC;

 +#endif

  	if (!may_expand_vm(mm, flags, len >> PAGE_SHIFT))

  		return -ENOMEM;

-@@ -3385,6 +3399,17 @@ static struct vm_area_struct *__install_special_mapping(

+@@ -3433,6 +3448,17 @@ static struct vm_area_struct *__install_special_mapping(

  	vma->vm_start = addr;

  	vma->vm_end = addr + len;

-+#ifdef CONFIG_PAX_NOWRITEEXEC

-+	if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))

-+		return ERR_PTR(-EPERM);

 +#ifdef CONFIG_PAX_MPROTECT

-+	if (!(vm_flags & VM_EXEC))

-+		vm_flags &= ~VM_MAYEXEC;

-+	else

-+		vm_flags &= ~VM_MAYWRITE;

-+#endif

++	if (mm->pax_flags & MF_PAX_MPROTECT) {

++		if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))

++			return ERR_PTR(-EPERM);

++		if (!(vm_flags & VM_EXEC))

++			vm_flags &= ~VM_MAYEXEC;

++		else

++			vm_flags &= ~VM_MAYWRITE;

++	}

 +#endif

 +

  	vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND | VM_SOFTDIRTY;

  	vma->vm_flags &= VM_LOCKED_CLEAR_MASK;

  	vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);

 diff --git a/mm/mprotect.c b/mm/mprotect.c

-index bc6bddd15..2bd5837d0 100644

+index 668bfaa6e..4fe86436b 100644

 --- a/mm/mprotect.c

 +++ b/mm/mprotect.c

 @@ -26,6 +26,10 @@

@@ -538,7 +750,7 @@ index bc6bddd15..2bd5837d0 100644

  #include <linux/uaccess.h>

  #include <linux/mm_inline.h>

  #include <linux/pgtable.h>

-@@ -622,6 +626,10 @@ mprotect_fixup(struct mmu_gather *tlb, struct vm_area_struct *vma,

+@@ -631,6 +635,10 @@ mprotect_fixup(struct mmu_gather *tlb, struct vm_area_struct *vma,

  	 * held in write mode.

  	 */

  	vma->vm_flags = newflags;

@@ -549,7 +761,7 @@ index bc6bddd15..2bd5837d0 100644

  	/*

  	 * We want to check manually if we can change individual PTEs writable

  	 * if we can't do that automatically for all PTEs in a mapping. For

-@@ -747,6 +747,11 @@ static int do_mprotect_pkey(unsigned long start, size_t len,

+@@ -739,6 +747,11 @@ static int do_mprotect_pkey(unsigned long start, size_t len,

  	else

  		prev = mas_prev(&mas, 0);

@@ -561,11 +773,73 @@ index bc6bddd15..2bd5837d0 100644

  	tlb_gather_mmu(&tlb, current->mm);

  	for (nstart = start ; ; ) {

  		unsigned long mask_off_old_flags;

+diff --git a/mm/shmem.c b/mm/shmem.c

+index a8d9fd039..e682ad202 100644

+--- a/mm/shmem.c

+@@ -3315,6 +3315,31 @@ static int shmem_xattr_handler_set(const struct xattr_handler *handler,

+ 	return err;

+ }

+ 

++#ifdef CONFIG_PAX_XATTR_PAX_FLAGS

++static int shmem_user_xattr_handler_set(const struct xattr_handler *handler,

++				   struct user_namespace *mnt_userns,

++				   struct dentry *unused, struct inode *inode,

++				   const char *name, const void *value,

++				   size_t size, int flags)

++{

++	struct shmem_inode_info *info = SHMEM_I(inode);

++	int err;

++

++	if (strcmp(name, XATTR_NAME_PAX_FLAGS))

++		return -EOPNOTSUPP;

++	if (size > 2)

++		return -EINVAL;

++

++	name = xattr_full_name(handler, name);

++	err = simple_xattr_set(&info->xattrs, name, value, size, flags, NULL);

++	if (!err) {

++		inode->i_ctime = current_time(inode);

++		inode_inc_iversion(inode);

++	}

++	return err;

++}

++#endif

++

+ static const struct xattr_handler shmem_security_xattr_handler = {

+ 	.prefix = XATTR_SECURITY_PREFIX,

+ 	.get = shmem_xattr_handler_get,

+@@ -3327,6 +3352,14 @@ static const struct xattr_handler shmem_trusted_xattr_handler = {

+ 	.set = shmem_xattr_handler_set,

+ };

+ 

++#ifdef CONFIG_PAX_XATTR_PAX_FLAGS

++static const struct xattr_handler shmem_user_xattr_handler = {

++	.prefix = XATTR_USER_PREFIX,

++	.get = shmem_xattr_handler_get,

++	.set = shmem_user_xattr_handler_set,

++};

++#endif

++

+ static const struct xattr_handler *shmem_xattr_handlers[] = {

+ #ifdef CONFIG_TMPFS_POSIX_ACL

+ 	&posix_acl_access_xattr_handler,

+@@ -3334,6 +3367,10 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {

+ #endif

+ 	&shmem_security_xattr_handler,

+ 	&shmem_trusted_xattr_handler,

++#ifdef CONFIG_PAX_XATTR_PAX_FLAGS

++	/* Allow pax xattr for tmpfs */

++	&shmem_user_xattr_handler,

++#endif

+ 	NULL

+ };

+ 

 diff --git a/security/Kconfig b/security/Kconfig

-index e6db09a77..1bd57b5d5 100644

+index e6db09a77..0a1c517da 100644

 --- a/security/Kconfig

 +++ b/security/Kconfig

-@@ -5,6 +5,84 @@

+@@ -5,6 +5,97 @@

  menu "Security options"

@@ -594,42 +868,31 @@ index e6db09a77..1bd57b5d5 100644

 +	  are the XFree86 4.x server, the java runtime and wine.

 +

 +if PAX_NOWRITEEXEC

-+choice

-+	prompt "Executable stack"

-+

++config PAX_EMUTRAMP

++	bool "Executable stack emulation"

 +	help

-+	  Select the security model for the binaries with executable stack.

-+

-+	config PAX_EMUTRAMP

-+		bool "emulate"

-+		help

-+		  There are some programs and libraries that for one reason or

-+		  another attempt to execute special small code snippets from

-+		  non-executable memory pages.  Most notable examples are the

-+		  signal handler return code generated by the kernel itself and

-+		  the GCC trampolines.

-+

-+		  If you enabled CONFIG_NOWRITEEXEC then such programs will no

-+		  longer work under your kernel.

-+

-+		  As a remedy you can say Y here enable trampoline emulation for

-+		  the affected programs yet still have the protection provided by

-+		  the non-executable pages.

-+

-+		  NOTE: enabling this feature *may* open up a loophole in the

-+		  protection provided by non-executable pages that an attacker

-+		  could abuse.  Therefore the best solution is to not have any

-+		  files on your system that would require this option.  This can

-+		  be achieved by not using libc5 (which relies on the kernel

-+		  signal handler return code) and not using or rewriting programs

-+		  that make use of the nested function implementation of GCC.

-+		  Skilled users can just fix GCC itself so that it implements

-+		  nested function calls in a way that does not interfere with PaX.

-+

-+	config EXECSTACK_DISABLED

-+		bool "disabled"

-+

-+endchoice

++	  There are some programs and libraries that for one reason or

++	  another attempt to execute special small code snippets from

++	  non executable stack.  Most notable examples are the

++	  signal handler return code generated by the kernel itself and

++	  the GCC trampolines.

++

++	  If you enabled CONFIG_NOWRITEEXEC then such programs will no

++	  longer work under your kernel.

++

++	  As a remedy you can say Y here enable trampoline emulation for

++	  the affected programs yet still have the protection provided by

++	  the non-executable pages.

++

++	  NOTE: enabling this feature *may* open up a loophole in the

++	  protection provided by non-executable pages that an attacker

++	  could abuse.  Therefore the best solution is to not have any

++	  files on your system that would require this option.  This can

++	  be achieved by not using libc5 (which relies on the kernel

++	  signal handler return code) and not using or rewriting programs

++	  that make use of the nested function implementation of GCC.

++	  Skilled users can just fix GCC itself so that it implements

++	  nested function calls in a way that does not interfere with PaX.

 +

 +config PAX_MPROTECT

 +	bool "Restrict mprotect()"

@@ -644,6 +907,30 @@ index e6db09a77..1bd57b5d5 100644

 +	  You should say Y here to complete the protection provided by

 +	  the enforcement of non-executable pages.

 +

++config PAX_XATTR_PAX_FLAGS

++	bool 'Use filesystem extended attributes marking'

++	select CIFS_XATTR if CIFS

++	select EXT2_FS_XATTR if EXT2_FS

++	select EXT3_FS_XATTR if EXT3_FS

++	select F2FS_FS_XATTR if F2FS_FS

++	select JFFS2_FS_XATTR if JFFS2_FS

++	select REISERFS_FS_XATTR if REISERFS_FS

++	select SQUASHFS_XATTR if SQUASHFS

++	select TMPFS_XATTR if TMPFS

++	help

++	  Enabling this option will allow you to control PaX features on

++	  a per executable basis via the 'setfattr' utility.  The control

++	  flags will be read from the user.pax.flags extended attribute of

++	  the file.  This marking has the benefit of supporting binary-only

++	  applications that self-check themselves (e.g., skype) and would

++	  not tolerate chpax/paxctl changes.  The main drawback is that

++	  extended attributes are not supported by some filesystems (e.g.,

++	  isofs, udf, vfat) so copying files through such filesystems will

++	  lose the extended attributes and these PaX markings.

++

++	  If you enable none of the marking options then all applications

++	  will run with PaX enabled on them by default.

++

 +endif

 +endif

 +

@@ -651,5 +938,5 @@ index e6db09a77..1bd57b5d5 100644

  config SECURITY_DMESG_RESTRICT

 -- 

-2.37.3

+2.39.0

@@ -5108,8 +5108,8 @@ diff --git a/security/Kconfig b/security/Kconfig

 index 1bd57b5d5..dc8fbe4fa 100644

 --- a/security/Kconfig

 +++ b/security/Kconfig

-@@ -81,6 +81,26 @@ config PAX_MPROTECT

- 	  the enforcement of non-executable pages.

+@@ -94,6 +94,26 @@ config PAX_XATTR_PAX_FLAGS

+ 	  will run with PaX enabled on them by default.

  endif

 +