[gentoo-commits] proj/hardened-patchset:XT_PAX commit in: 3.0.7/

[gentoo-commits] proj/hardened-patchset:XT_PAX commit in: 3.0.7/

[Anthony G. Basile]

commit:     63aaa1c36bd3bb3900bf1b86a8c821f470786d53
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 26 19:46:45 2011 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 19:46:45 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=63aaa1c3

Add XT_PAX support to 3.0.7

---
 ...i.patch => 4420_Z_3_remove-legacy-ei-pax.patch} |    0
 3.0.7/4420_Z_7_add-xt-pax.patch                    |   97 ++++++++++++++++++++
 2 files changed, 97 insertions(+), 0 deletions(-)

diff --git a/3.0.7/4420_Z_5_remove-legacy-pax-ei.patch b/3.0.7/4420_Z_3_remove-legacy-ei-pax.patch
similarity index 100%
rename from 3.0.7/4420_Z_5_remove-legacy-pax-ei.patch
rename to 3.0.7/4420_Z_3_remove-legacy-ei-pax.patch

diff --git a/3.0.7/4420_Z_7_add-xt-pax.patch b/3.0.7/4420_Z_7_add-xt-pax.patch
new file mode 100644
index 0000000..0b6a018
--- /dev/null
+++ b/3.0.7/4420_Z_7_add-xt-pax.patch
@@ -0,0 +1,97 @@
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 4779b9f..f769a78 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -32,6 +32,7 @@
+ #include <linux/elf.h>
+ #include <linux/utsname.h>
+ #include <linux/coredump.h>
++#include <linux/xattr.h>
+ #include <asm/uaccess.h>
+ #include <asm/param.h>
+ #include <asm/page.h>
+@@ -647,9 +648,7 @@ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct
+ #ifdef CONFIG_PAX_PT_PAX_FLAGS
+ 	unsigned long i;
+ 	int found_flags = 0;
+-#endif
+ 
+-#ifdef CONFIG_PAX_PT_PAX_FLAGS
+ 	for (i = 0UL; i < elf_ex->e_phnum; i++)
+ 		if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
+ 			if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
+@@ -693,6 +692,21 @@ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct
+ }
+ #endif
+ 
++#if defined(CONFIG_PAX_XT_PAX_FLAGS)
++static long pax_parse_xattr_flags(struct dentry *dentry)
++{
++	unsigned long pax_flags = 0UL;
++
++	struct inode *inode = dentry->d_inode;
++	int size = inode->i_op->getxattr(dentry, XATTR_PAX, &pax_flags, sizeof(long));
++	if (size == -ENODATA || size == -EOPNOTSUPP)
++		return -EINVAL;
++
++	current->mm->pax_flags = pax_flags;
++	return 0;
++}
++#endif
++
+ /*
+  * These are the functions used to load ELF style executables and shared
+  * libraries.  There is no binary dependent code anywhere else.
+@@ -747,6 +761,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 		struct elfhdr interp_elf_ex;
+ 	} *loc;
+ 	unsigned long pax_task_size = TASK_SIZE;
++	struct dentry *dentry = bprm->file->f_path.dentry;
+ 
+ 	loc = kmalloc(sizeof(*loc), GFP_KERNEL);
+ 	if (!loc) {
+@@ -911,6 +926,13 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 	}
+ #endif
+ 
++#if defined(CONFIG_PAX_XT_PAX_FLAGS)
++	if (0 > pax_parse_xattr_flags(dentry)) {
++		send_sig(SIGKILL, current, 0);
++		goto out_free_dentry;
++	}
++#endif
++
+ #ifdef CONFIG_PAX_HAVE_ACL_FLAGS
+ 	pax_set_initial_flags(bprm);
+ #elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
+diff --git a/include/linux/xattr.h b/include/linux/xattr.h
+index aed54c5..0ba8e8f 100644
+--- a/include/linux/xattr.h
++++ b/include/linux/xattr.h
+@@ -49,6 +49,10 @@
+ #define XATTR_CAPS_SUFFIX "capability"
+ #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
+ 
++/* PaX namespace */
++#define XATTR_PAX_SUFFICE "pax"
++#define XATTR_PAX XATTR_USER_PREFIX XATTR_PAX_SUFFICE
++
+ #ifdef  __KERNEL__
+ 
+ #include <linux/types.h>
+diff --git a/security/Kconfig b/security/Kconfig
+index de3cb0d..a3199ed 100644
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -65,6 +65,11 @@ config PAX_PT_PAX_FLAGS
+ 	  If your toolchain does not support PT_PAX_FLAGS markings,
+ 	  you can create one in most cases with 'paxctl -C'.
+ 
++config PAX_XT_PAX_FLAGS
++	bool 'Use Extended Attribute marking'
++	help
++	  TODO: use xattr field 'user.pax' for markings
++
+ choice
+ 	prompt 'MAC system integration'
+ 	default PAX_HAVE_ACL_FLAGS

[gentoo-commits] proj/hardened-patchset:XT_PAX commit in: 3.0.7/

[Anthony G. Basile]

commit:     df7c1d21a0f393719641566ce3e0f2ec07de95ba
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Nov  2 09:06:48 2011 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 09:06:48 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=df7c1d21

Removed README

---
 3.0.7/0000_README |   52 ----------------------------------------------------
 1 files changed, 0 insertions(+), 52 deletions(-)

diff --git a/3.0.7/0000_README b/3.0.7/0000_README
deleted file mode 100644
index 406c7d8..0000000
--- a/3.0.7/0000_README
+++ /dev/null
@@ -1,52 +0,0 @@
-README
------------------------------------------------------------------------------
-
-Individual Patch Descriptions:
------------------------------------------------------------------------------
-Patch:	1006_linux-3.0.7.patch
-From:	http://www.kernel.org
-Desc:	Linux 3.0.7
-
-Patch:	4420_grsecurity-2.2.2-3.0.7-201110200052.patch
-From:	http://www.grsecurity.net
-Desc:	hardened-sources base patch from upstream grsecurity
-
-Patch:	4421_grsec-remove-localversion-grsec.patch
-From:	Kerin Millar <kerframil@gmail.com>
-Desc:	Removes grsecurity's localversion-grsec file
-
-Patch:	4422_grsec-mute-warnings.patch
-From:	Alexander Gabert <gaberta@fh-trier.de>
-	Gordon Malm <gengor@gentoo.org>
-Desc:	Removes verbose compile warning settings from grsecurity, restores
-	mainline Linux kernel behavior
-
-Patch:	4423_grsec-remove-protected-paths.patch
-From:	Anthony G. Basile <blueness@gentoo.org>
-Desc:	Removes chmod statements from grsecurity/Makefile
-
-Patch:	4425_grsec-pax-without-grsec.patch
-From:	Gordon Malm <gengor@gentoo.org>
-Desc:	Allows PaX features to be selected without enabling GRKERNSEC
-
-Patch:	4430_grsec-kconfig-default-gids.patch
-From:	Kerin Millar <kerframil@gmail.com>
-Desc:	Sets sane(r) default GIDs on various grsecurity group-dependent
-	features
-
-Patch:	4435_grsec-kconfig-gentoo.patch
-From:	Gordon Malm <gengor@gentoo.org>
-	Kerin Millar <kerframil@gmail.com>
-	Anthony G. Basile <blueness@gentoo.org>
-Desc:	Adds Hardened Gentoo [server/workstation/virtualization] security levels,
-	sets Hardened Gentoo [workstation] as default
-
-Patch:	4440_selinux-avc_audit-log-curr_ip.patch
-From:	Gordon Malm <gengor@gentoo.org>
-	Anthony G. Basile <blueness@gentoo.org>
-Desc:	Configurable option to add src IP address to SELinux log messages
-
-Patch:	4445_disable-compat_vdso.patch
-From:	Gordon Malm <gengor@gentoo.org>
-	Kerin Millar <kerframil@gmail.com>
-Desc:	Disables VDSO_COMPAT operation completely

[gentoo-commits] proj/hardened-patchset:XT_PAX commit in: 3.0.7/

[Anthony G. Basile]

commit:     b6c1ff712c50ef78fb61a14a7ebcba8f0c7e9905
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Nov  2 09:29:11 2011 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 09:29:11 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=b6c1ff71

Rename remove ei-pax patch

---
 ...i-pax.patch => 4430_remove-legacy-ei-pax.patch} |    0
 1 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/3.0.7/4420_remove-legacy-ei-pax.patch b/3.0.7/4430_remove-legacy-ei-pax.patch
similarity index 100%
rename from 3.0.7/4420_remove-legacy-ei-pax.patch
rename to 3.0.7/4430_remove-legacy-ei-pax.patch

[gentoo-commits] proj/hardened-patchset:XT_PAX commit in: 3.0.7/

[Anthony G. Basile]

commit:     346846be4533d393006d8749ecea52d359efd3bb
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Nov  2 23:20:13 2011 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 23:20:13 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=346846be

First working version of XT_PAX

---
 3.0.7/4430_remove-legacy-ei-pax.patch        |   87 ++++++----
 3.0.7/4440_Rename-PT_PAX-to-XT_PAX.patch     |  207 +++++++++++++++++++++++
 3.0.7/4450_Use-XT_PAX-insteadof-PT_PAX.patch |  227 ++++++++++++++++++++++++++
 3.0.7/4450_add-xt-pax.patch                  |   97 -----------
 4 files changed, 486 insertions(+), 132 deletions(-)

diff --git a/3.0.7/4430_remove-legacy-ei-pax.patch b/3.0.7/4430_remove-legacy-ei-pax.patch
index dc5a894..476cbc4 100644
--- a/3.0.7/4430_remove-legacy-ei-pax.patch
+++ b/3.0.7/4430_remove-legacy-ei-pax.patch
@@ -1,13 +1,22 @@
-From: Anthony G. Basile <blueness@gentoo.org>
+From 08b996f6537c593b67a371605dc16f8ad30121dd Mon Sep 17 00:00:00 2001
+From: root <root@xt-pax.(none)>
+Date: Wed, 2 Nov 2011 10:23:01 +0000
+Subject: [PATCH 1/3] Remove EI_PAX
 
-This patch removes all references to legacy EI_PAX markings
-in favor of PT_PAX.  It should be applied immediately after
-the grsecurity patch.
+---
+ fs/binfmt_elf.c            |   55 +++----------------------------------------
+ grsecurity/Kconfig         |    2 -
+ include/linux/elf.h        |    2 -
+ include/linux/grsecurity.h |    8 +++---
+ include/linux/mm_types.h   |    2 +-
+ security/Kconfig           |   21 +---------------
+ 6 files changed, 11 insertions(+), 79 deletions(-)
 
-diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
---- a/fs/binfmt_elf.c	2011-10-25 17:42:18.000000000 -0400
-+++ b/fs/binfmt_elf.c	2011-10-25 17:49:46.000000000 -0400
-@@ -553,7 +553,7 @@
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 9f89be2..4779b9f 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -553,7 +553,7 @@ out:
  	return error;
  }
  
@@ -16,7 +25,7 @@ diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
  static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
  {
  	unsigned long pax_flags = 0UL;
-@@ -639,50 +639,7 @@
+@@ -639,50 +639,7 @@ static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata
  }
  #endif
  
@@ -68,7 +77,7 @@ diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
  static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
  {
  	unsigned long pax_flags = 0UL;
-@@ -692,10 +649,6 @@
+@@ -692,10 +649,6 @@ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct
  	int found_flags = 0;
  #endif
  
@@ -79,7 +88,7 @@ diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
  #ifdef CONFIG_PAX_PT_PAX_FLAGS
  	for (i = 0UL; i < elf_ex->e_phnum; i++)
  		if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
-@@ -718,7 +671,7 @@
+@@ -718,7 +671,7 @@ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct
  		}
  #endif
  
@@ -88,7 +97,7 @@ diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
  	if (found_flags == 0) {
  		struct elf_phdr phdr;
  		memset(&phdr, 0, sizeof(phdr));
-@@ -951,7 +904,7 @@
+@@ -951,7 +904,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  
  	current->mm->def_flags = 0;
  
@@ -97,10 +106,11 @@ diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
  	if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
  		send_sig(SIGKILL, current, 0);
  		goto out_free_dentry;
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig	2011-10-25 17:42:18.000000000 -0400
-+++ b/grsecurity/Kconfig	2011-10-25 17:44:35.000000000 -0400
-@@ -47,7 +47,6 @@
+diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
+index 2df8a14..5090312 100644
+--- a/grsecurity/Kconfig
++++ b/grsecurity/Kconfig
+@@ -47,7 +47,6 @@ config GRKERNSEC_LOW
  config GRKERNSEC_MEDIUM
  	bool "Medium"
  	select PAX
@@ -108,7 +118,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	select PAX_PT_PAX_FLAGS
  	select PAX_HAVE_ACL_FLAGS
  	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-@@ -143,7 +142,6 @@
+@@ -143,7 +142,6 @@ config GRKERNSEC_HIGH
  	select PAX_RANDMMAP
  	select PAX_NOEXEC
  	select PAX_MPROTECT
@@ -116,10 +126,11 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	select PAX_PT_PAX_FLAGS
  	select PAX_HAVE_ACL_FLAGS
  	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-diff -Naur a/include/linux/elf.h b/include/linux/elf.h
---- a/include/linux/elf.h	2011-10-25 17:42:18.000000000 -0400
-+++ b/include/linux/elf.h	2011-10-25 17:44:35.000000000 -0400
-@@ -370,8 +370,6 @@
+diff --git a/include/linux/elf.h b/include/linux/elf.h
+index cb14c08..5cd548b 100644
+--- a/include/linux/elf.h
++++ b/include/linux/elf.h
+@@ -370,8 +370,6 @@ typedef struct elf64_shdr {
  #define	EI_OSABI	7
  #define	EI_PAD		8
  
@@ -128,9 +139,10 @@ diff -Naur a/include/linux/elf.h b/include/linux/elf.h
  #define	ELFMAG0		0x7f		/* EI_MAG */
  #define	ELFMAG1		'E'
  #define	ELFMAG2		'L'
-diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
---- a/include/linux/grsecurity.h	2011-10-25 17:42:18.000000000 -0400
-+++ b/include/linux/grsecurity.h	2011-10-25 17:44:35.000000000 -0400
+diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
+index 9a067c3..5a4078a 100644
+--- a/include/linux/grsecurity.h
++++ b/include/linux/grsecurity.h
 @@ -12,11 +12,11 @@
  #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
  #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
@@ -147,10 +159,11 @@ diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
  #endif
  #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
  #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
-diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
---- a/include/linux/mm_types.h	2011-10-25 17:42:18.000000000 -0400
-+++ b/include/linux/mm_types.h	2011-10-25 17:44:35.000000000 -0400
-@@ -319,7 +319,7 @@
+diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
+index 00e8ce6..3b82044 100644
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -319,7 +319,7 @@ struct mm_struct {
  	struct cpumask cpumask_allocation;
  #endif
  
@@ -159,10 +172,11 @@ diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
  	unsigned long pax_flags;
  #endif
  
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig	2011-10-25 17:42:19.000000000 -0400
-+++ b/security/Kconfig	2011-10-25 17:44:35.000000000 -0400
-@@ -51,20 +51,6 @@
+diff --git a/security/Kconfig b/security/Kconfig
+index 9ace91e..49af5e8 100644
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -51,20 +51,6 @@ config PAX_SOFTMODE
  	  line option on boot.  Furthermore you can control various PaX features
  	  at runtime via the entries in /proc/sys/kernel/pax.
  
@@ -183,7 +197,7 @@ diff -Naur a/security/Kconfig b/security/Kconfig
  config PAX_PT_PAX_FLAGS
  	bool 'Use ELF program header marking'
  	help
-@@ -79,9 +65,6 @@
+@@ -79,9 +65,6 @@ config PAX_PT_PAX_FLAGS
  	  If your toolchain does not support PT_PAX_FLAGS markings,
  	  you can create one in most cases with 'paxctl -C'.
  
@@ -193,7 +207,7 @@ diff -Naur a/security/Kconfig b/security/Kconfig
  choice
  	prompt 'MAC system integration'
  	default PAX_HAVE_ACL_FLAGS
-@@ -113,7 +96,7 @@
+@@ -113,7 +96,7 @@ menu "Non-executable pages"
  
  config PAX_NOEXEC
  	bool "Enforce non-executable pages"
@@ -202,7 +216,7 @@ diff -Naur a/security/Kconfig b/security/Kconfig
  	help
  	  By design some architectures do not allow for protecting memory
  	  pages against execution or even if they do, Linux does not make
-@@ -360,7 +343,7 @@
+@@ -360,7 +343,7 @@ menu "Address Space Layout Randomization"
  
  config PAX_ASLR
  	bool "Address Space Layout Randomization"
@@ -211,3 +225,6 @@ diff -Naur a/security/Kconfig b/security/Kconfig
  	help
  	  Many if not most exploit techniques rely on the knowledge of
  	  certain addresses in the attacked program.  The following options
+-- 
+1.7.3.4
+

diff --git a/3.0.7/4440_Rename-PT_PAX-to-XT_PAX.patch b/3.0.7/4440_Rename-PT_PAX-to-XT_PAX.patch
new file mode 100644
index 0000000..8069f58
--- /dev/null
+++ b/3.0.7/4440_Rename-PT_PAX-to-XT_PAX.patch
@@ -0,0 +1,207 @@
+From aabe9e7d87edded9bdc232cbfe224a8ca7e95d2d Mon Sep 17 00:00:00 2001
+From: Anthony G. Basile <blueness@gentoo.org>
+Date: Wed, 2 Nov 2011 10:29:14 +0000
+Subject: [PATCH 2/3] Rename PT_PAX to XT_PAX
+
+---
+ fs/binfmt_elf.c            |   16 ++++++++--------
+ grsecurity/Kconfig         |    4 ++--
+ include/linux/elf.h        |    2 +-
+ include/linux/grsecurity.h |    8 ++++----
+ include/linux/mm_types.h   |    2 +-
+ security/Kconfig           |   23 +++++++----------------
+ 6 files changed, 23 insertions(+), 32 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 4779b9f..75d6e2b 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -553,7 +553,7 @@ out:
+ 	return error;
+ }
+ 
+-#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
++#if (defined(CONFIG_PAX_XT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
+ static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
+ {
+ 	unsigned long pax_flags = 0UL;
+@@ -596,7 +596,7 @@ static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata
+ }
+ #endif
+ 
+-#ifdef CONFIG_PAX_PT_PAX_FLAGS
++#ifdef CONFIG_PAX_XT_PAX_FLAGS
+ static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
+ {
+ 	unsigned long pax_flags = 0UL;
+@@ -639,19 +639,19 @@ static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata
+ }
+ #endif
+ 
+-#if defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_XT_PAX_FLAGS)
+ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
+ {
+ 	unsigned long pax_flags = 0UL;
+ 
+-#ifdef CONFIG_PAX_PT_PAX_FLAGS
++#ifdef CONFIG_PAX_XT_PAX_FLAGS
+ 	unsigned long i;
+ 	int found_flags = 0;
+ #endif
+ 
+-#ifdef CONFIG_PAX_PT_PAX_FLAGS
++#ifdef CONFIG_PAX_XT_PAX_FLAGS
+ 	for (i = 0UL; i < elf_ex->e_phnum; i++)
+-		if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
++		if (elf_phdata[i].p_type == XT_PAX_FLAGS) {
+ 			if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
+ 			    ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
+ 			    ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
+@@ -671,7 +671,7 @@ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct
+ 		}
+ #endif
+ 
+-#if defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_XT_PAX_FLAGS)
+ 	if (found_flags == 0) {
+ 		struct elf_phdr phdr;
+ 		memset(&phdr, 0, sizeof(phdr));
+@@ -904,7 +904,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 
+ 	current->mm->def_flags = 0;
+ 
+-#if defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_XT_PAX_FLAGS)
+ 	if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
+ 		send_sig(SIGKILL, current, 0);
+ 		goto out_free_dentry;
+diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
+index 5090312..7da631a 100644
+--- a/grsecurity/Kconfig
++++ b/grsecurity/Kconfig
+@@ -47,7 +47,7 @@ config GRKERNSEC_LOW
+ config GRKERNSEC_MEDIUM
+ 	bool "Medium"
+ 	select PAX
+-	select PAX_PT_PAX_FLAGS
++	select PAX_XT_PAX_FLAGS
+ 	select PAX_HAVE_ACL_FLAGS
+ 	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+ 	select GRKERNSEC_CHROOT
+@@ -142,7 +142,7 @@ config GRKERNSEC_HIGH
+ 	select PAX_RANDMMAP
+ 	select PAX_NOEXEC
+ 	select PAX_MPROTECT
+-	select PAX_PT_PAX_FLAGS
++	select PAX_XT_PAX_FLAGS
+ 	select PAX_HAVE_ACL_FLAGS
+ 	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
+ 	select PAX_MEMORY_UDEREF if (X86 && !XEN)
+diff --git a/include/linux/elf.h b/include/linux/elf.h
+index 5cd548b..e5046be 100644
+--- a/include/linux/elf.h
++++ b/include/linux/elf.h
+@@ -51,7 +51,7 @@ typedef __s64	Elf64_Sxword;
+ #define PT_GNU_STACK	(PT_LOOS + 0x474e551)
+ #define PT_GNU_RELRO	(PT_LOOS + 0x474e552)
+ 
+-#define PT_PAX_FLAGS	(PT_LOOS + 0x5041580)
++#define XT_PAX_FLAGS	(PT_LOOS + 0x5041580)
+ 
+ /* Constants for the e_flags field */
+ #define EF_PAX_PAGEEXEC		1	/* Paging based non-executable pages */
+diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
+index 5a4078a..eda5926 100644
+--- a/include/linux/grsecurity.h
++++ b/include/linux/grsecurity.h
+@@ -12,11 +12,11 @@
+ #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
+ #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
+ #endif
+-#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
+-#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_XT_PAX_FLAGS)
++#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_XT_PAX_FLAGS is not enabled."
+ #endif
+-#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
+-#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
++#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_XT_PAX_FLAGS)
++#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_XT_PAX_FLAGS is not enabled."
+ #endif
+ #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
+ #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
+diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
+index 3b82044..8cf64ce 100644
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -319,7 +319,7 @@ struct mm_struct {
+ 	struct cpumask cpumask_allocation;
+ #endif
+ 
+-#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
++#if defined(CONFIG_PAX_XT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
+ 	unsigned long pax_flags;
+ #endif
+ 
+diff --git a/security/Kconfig b/security/Kconfig
+index 49af5e8..dcac773 100644
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -40,30 +40,21 @@ menu "PaX Control"
+ 
+ config PAX_SOFTMODE
+ 	bool 'Support soft mode'
+-	select PAX_PT_PAX_FLAGS
++	select PAX_XT_PAX_FLAGS
+ 	help
+ 	  Enabling this option will allow you to run PaX in soft mode, that
+ 	  is, PaX features will not be enforced by default, only on executables
+-	  marked explicitly.  You must also enable PT_PAX_FLAGS support as it
++	  marked explicitly.  You must also enable XT_PAX_FLAGS support as it
+ 	  is the only way to mark executables for soft mode use.
+ 
+ 	  Soft mode can be activated by using the "pax_softmode=1" kernel command
+ 	  line option on boot.  Furthermore you can control various PaX features
+ 	  at runtime via the entries in /proc/sys/kernel/pax.
+ 
+-config PAX_PT_PAX_FLAGS
+-	bool 'Use ELF program header marking'
++config PAX_XT_PAX_FLAGS
++	bool 'Use filesystem extended attribute marking'
+ 	help
+-	  Enabling this option will allow you to control PaX features on
+-	  a per executable basis via the 'paxctl' utility available at
+-	  http://pax.grsecurity.net/.  The control flags will be read from
+-	  a PaX specific ELF program header (PT_PAX_FLAGS).  This marking
+-	  has the benefits of supporting both soft mode and being fully
+-	  integrated into the toolchain (the binutils patch is available
+-	  from http://pax.grsecurity.net).
+-
+-	  If your toolchain does not support PT_PAX_FLAGS markings,
+-	  you can create one in most cases with 'paxctl -C'.
++	  TODO: add a description
+ 
+ choice
+ 	prompt 'MAC system integration'
+@@ -96,7 +87,7 @@ menu "Non-executable pages"
+ 
+ config PAX_NOEXEC
+ 	bool "Enforce non-executable pages"
+-	depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
++	depends on (PAX_XT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
+ 	help
+ 	  By design some architectures do not allow for protecting memory
+ 	  pages against execution or even if they do, Linux does not make
+@@ -343,7 +334,7 @@ menu "Address Space Layout Randomization"
+ 
+ config PAX_ASLR
+ 	bool "Address Space Layout Randomization"
+-	depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
++	depends on PAX_XT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
+ 	help
+ 	  Many if not most exploit techniques rely on the knowledge of
+ 	  certain addresses in the attacked program.  The following options
+-- 
+1.7.3.4
+

diff --git a/3.0.7/4450_Use-XT_PAX-insteadof-PT_PAX.patch b/3.0.7/4450_Use-XT_PAX-insteadof-PT_PAX.patch
new file mode 100644
index 0000000..926d764
--- /dev/null
+++ b/3.0.7/4450_Use-XT_PAX-insteadof-PT_PAX.patch
@@ -0,0 +1,227 @@
+From 0183e57845ef783197aee28755a037e1813aeed8 Mon Sep 17 00:00:00 2001
+From: Anthony G. Basile <blueness@gentoo.org>
+Date: Wed, 2 Nov 2011 23:09:54 +0000
+Subject: [PATCH 3/3] Use XT_PAX instead of PT_PAX
+
+---
+ fs/binfmt_elf.c       |  103 ++++++++++++++++++++++++-------------------------
+ include/linux/xattr.h |    3 +
+ 2 files changed, 53 insertions(+), 53 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 75d6e2b..da3837c 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -32,6 +32,7 @@
+ #include <linux/elf.h>
+ #include <linux/utsname.h>
+ #include <linux/coredump.h>
++#include <linux/xattr.h>
+ #include <asm/uaccess.h>
+ #include <asm/param.h>
+ #include <asm/page.h>
+@@ -554,17 +555,17 @@ out:
+ }
+ 
+ #if (defined(CONFIG_PAX_XT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
+-static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
++static unsigned long pax_parse_softmode(unsigned long read_flags)
+ {
+ 	unsigned long pax_flags = 0UL;
+ 
+ #ifdef CONFIG_PAX_PAGEEXEC
+-	if (elf_phdata->p_flags & PF_PAGEEXEC)
++	if (read_flags & PF_PAGEEXEC)
+ 		pax_flags |= MF_PAX_PAGEEXEC;
+ #endif
+ 
+ #ifdef CONFIG_PAX_SEGMEXEC
+-	if (elf_phdata->p_flags & PF_SEGMEXEC)
++	if (read_flags & PF_SEGMEXEC)
+ 		pax_flags |= MF_PAX_SEGMEXEC;
+ #endif
+ 
+@@ -578,17 +579,17 @@ static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata
+ #endif
+ 
+ #ifdef CONFIG_PAX_EMUTRAMP
+-	if (elf_phdata->p_flags & PF_EMUTRAMP)
++	if (read_flags & PF_EMUTRAMP)
+ 		pax_flags |= MF_PAX_EMUTRAMP;
+ #endif
+ 
+ #ifdef CONFIG_PAX_MPROTECT
+-	if (elf_phdata->p_flags & PF_MPROTECT)
++	if (read_flags & PF_MPROTECT)
+ 		pax_flags |= MF_PAX_MPROTECT;
+ #endif
+ 
+ #if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
+-	if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
++	if (randomize_va_space && (read_flags & PF_RANDMMAP))
+ 		pax_flags |= MF_PAX_RANDMMAP;
+ #endif
+ 
+@@ -597,17 +598,17 @@ static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata
+ #endif
+ 
+ #ifdef CONFIG_PAX_XT_PAX_FLAGS
+-static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
++static unsigned long pax_parse_hardmode(unsigned long read_flags)
+ {
+ 	unsigned long pax_flags = 0UL;
+ 
+ #ifdef CONFIG_PAX_PAGEEXEC
+-	if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
++	if (!(read_flags & PF_NOPAGEEXEC))
+ 		pax_flags |= MF_PAX_PAGEEXEC;
+ #endif
+ 
+ #ifdef CONFIG_PAX_SEGMEXEC
+-	if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
++	if (!(read_flags & PF_NOSEGMEXEC))
+ 		pax_flags |= MF_PAX_SEGMEXEC;
+ #endif
+ 
+@@ -621,17 +622,17 @@ static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata
+ #endif
+ 
+ #ifdef CONFIG_PAX_EMUTRAMP
+-	if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
++	if (!(read_flags & PF_NOEMUTRAMP))
+ 		pax_flags |= MF_PAX_EMUTRAMP;
+ #endif
+ 
+ #ifdef CONFIG_PAX_MPROTECT
+-	if (!(elf_phdata->p_flags & PF_NOMPROTECT))
++	if (!(read_flags & PF_NOMPROTECT))
+ 		pax_flags |= MF_PAX_MPROTECT;
+ #endif
+ 
+ #if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
+-	if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
++	if (randomize_va_space && !(read_flags & PF_NORANDMMAP))
+ 		pax_flags |= MF_PAX_RANDMMAP;
+ #endif
+ 
+@@ -639,51 +640,46 @@ static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata
+ }
+ #endif
+ 
+-#if defined(CONFIG_PAX_XT_PAX_FLAGS)
+-static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
++#ifdef CONFIG_PAX_XT_PAX_FLAGS
++static long pax_parse_xattr_flags(struct dentry * dentry)
+ {
+ 	unsigned long pax_flags = 0UL;
++	unsigned long read_flags = 0UL;
++	struct inode * inode = dentry->d_inode;
++
++	if (inode->i_op->getxattr)
++		if (inode->i_op->getxattr(dentry, XATTR_PAX, &read_flags, sizeof(long)) <= 0)
++			read_flags = PF_NOEMUTRAMP;
++
++	char buf[8];
++	buf[0] = buf[1] = buf[2] = buf[3] = buf[4] = buf[5] = '-';
++	buf[6] = 0;
++
++	if (read_flags & PF_PAGEEXEC)   buf[0] = 'P';
++	if (read_flags & PF_NOPAGEEXEC) buf[0] = 'p';
++	if (read_flags & PF_SEGMEXEC)   buf[1] = 'S';
++	if (read_flags & PF_NOSEGMEXEC) buf[1] = 's';
++	if (read_flags & PF_MPROTECT)   buf[2] = 'M';
++	if (read_flags & PF_NOMPROTECT) buf[2] = 'm';
++	if (read_flags & PF_EMUTRAMP)   buf[3] = 'E';
++	if (read_flags & PF_NOEMUTRAMP) buf[3] = 'e';
++	if (read_flags & PF_RANDMMAP)   buf[4] = 'R';
++	if (read_flags & PF_NORANDMMAP) buf[4] = 'r';
++	printk("\t%s\n", buf);
++
++	if (((read_flags & PF_PAGEEXEC) && (read_flags & PF_NOPAGEEXEC)) ||
++	    ((read_flags & PF_SEGMEXEC) && (read_flags & PF_NOSEGMEXEC)) ||
++	    ((read_flags & PF_EMUTRAMP) && (read_flags & PF_NOEMUTRAMP)) ||
++	    ((read_flags & PF_MPROTECT) && (read_flags & PF_NOMPROTECT)) ||
++	    ((read_flags & PF_RANDMMAP) && (read_flags & PF_NORANDMMAP)))
++		return -EINVAL;
+ 
+-#ifdef CONFIG_PAX_XT_PAX_FLAGS
+-	unsigned long i;
+-	int found_flags = 0;
+-#endif
+-
+-#ifdef CONFIG_PAX_XT_PAX_FLAGS
+-	for (i = 0UL; i < elf_ex->e_phnum; i++)
+-		if (elf_phdata[i].p_type == XT_PAX_FLAGS) {
+-			if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
+-			    ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
+-			    ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
+-			    ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
+-			    ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
+-				return -EINVAL;
+-
+-#ifdef CONFIG_PAX_SOFTMODE
+-			if (pax_softmode)
+-				pax_flags = pax_parse_softmode(&elf_phdata[i]);
+-			else
+-#endif
+-
+-				pax_flags = pax_parse_hardmode(&elf_phdata[i]);
+-			found_flags = 1;
+-			break;
+-		}
+-#endif
+-
+-#if defined(CONFIG_PAX_XT_PAX_FLAGS)
+-	if (found_flags == 0) {
+-		struct elf_phdr phdr;
+-		memset(&phdr, 0, sizeof(phdr));
+-		phdr.p_flags = PF_NOEMUTRAMP;
+ #ifdef CONFIG_PAX_SOFTMODE
+-		if (pax_softmode)
+-			pax_flags = pax_parse_softmode(&phdr);
+-		else
+-#endif
+-			pax_flags = pax_parse_hardmode(&phdr);
+-	}
++	if (pax_softmode)
++		pax_flags = pax_parse_softmode(read_flags);
++	else
+ #endif
++		pax_flags = pax_parse_hardmode(read_flags);
+ 
+ 	if (0 > pax_check_flags(&pax_flags))
+ 		return -EINVAL;
+@@ -747,6 +743,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 		struct elfhdr interp_elf_ex;
+ 	} *loc;
+ 	unsigned long pax_task_size = TASK_SIZE;
++	struct dentry * dentry = bprm->file->f_path.dentry;
+ 
+ 	loc = kmalloc(sizeof(*loc), GFP_KERNEL);
+ 	if (!loc) {
+@@ -905,7 +902,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 	current->mm->def_flags = 0;
+ 
+ #if defined(CONFIG_PAX_XT_PAX_FLAGS)
+-	if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
++	if (0 > pax_parse_xattr_flags(dentry)) {
+ 		send_sig(SIGKILL, current, 0);
+ 		goto out_free_dentry;
+ 	}
+diff --git a/include/linux/xattr.h b/include/linux/xattr.h
+index aed54c5..53636e4 100644
+--- a/include/linux/xattr.h
++++ b/include/linux/xattr.h
+@@ -49,6 +49,9 @@
+ #define XATTR_CAPS_SUFFIX "capability"
+ #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
+ 
++#define XATTR_PAX_SUFFIX "pax"
++#define XATTR_PAX XATTR_USER_PREFIX XATTR_PAX_SUFFIX
++
+ #ifdef  __KERNEL__
+ 
+ #include <linux/types.h>
+-- 
+1.7.3.4
+

diff --git a/3.0.7/4450_add-xt-pax.patch b/3.0.7/4450_add-xt-pax.patch
deleted file mode 100644
index 0b6a018..0000000
--- a/3.0.7/4450_add-xt-pax.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 4779b9f..f769a78 100644
---- a/fs/binfmt_elf.c
-+++ b/fs/binfmt_elf.c
-@@ -32,6 +32,7 @@
- #include <linux/elf.h>
- #include <linux/utsname.h>
- #include <linux/coredump.h>
-+#include <linux/xattr.h>
- #include <asm/uaccess.h>
- #include <asm/param.h>
- #include <asm/page.h>
-@@ -647,9 +648,7 @@ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct
- #ifdef CONFIG_PAX_PT_PAX_FLAGS
- 	unsigned long i;
- 	int found_flags = 0;
--#endif
- 
--#ifdef CONFIG_PAX_PT_PAX_FLAGS
- 	for (i = 0UL; i < elf_ex->e_phnum; i++)
- 		if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
- 			if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
-@@ -693,6 +692,21 @@ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct
- }
- #endif
- 
-+#if defined(CONFIG_PAX_XT_PAX_FLAGS)
-+static long pax_parse_xattr_flags(struct dentry *dentry)
-+{
-+	unsigned long pax_flags = 0UL;
-+
-+	struct inode *inode = dentry->d_inode;
-+	int size = inode->i_op->getxattr(dentry, XATTR_PAX, &pax_flags, sizeof(long));
-+	if (size == -ENODATA || size == -EOPNOTSUPP)
-+		return -EINVAL;
-+
-+	current->mm->pax_flags = pax_flags;
-+	return 0;
-+}
-+#endif
-+
- /*
-  * These are the functions used to load ELF style executables and shared
-  * libraries.  There is no binary dependent code anywhere else.
-@@ -747,6 +761,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
- 		struct elfhdr interp_elf_ex;
- 	} *loc;
- 	unsigned long pax_task_size = TASK_SIZE;
-+	struct dentry *dentry = bprm->file->f_path.dentry;
- 
- 	loc = kmalloc(sizeof(*loc), GFP_KERNEL);
- 	if (!loc) {
-@@ -911,6 +926,13 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
- 	}
- #endif
- 
-+#if defined(CONFIG_PAX_XT_PAX_FLAGS)
-+	if (0 > pax_parse_xattr_flags(dentry)) {
-+		send_sig(SIGKILL, current, 0);
-+		goto out_free_dentry;
-+	}
-+#endif
-+
- #ifdef CONFIG_PAX_HAVE_ACL_FLAGS
- 	pax_set_initial_flags(bprm);
- #elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
-diff --git a/include/linux/xattr.h b/include/linux/xattr.h
-index aed54c5..0ba8e8f 100644
---- a/include/linux/xattr.h
-+++ b/include/linux/xattr.h
-@@ -49,6 +49,10 @@
- #define XATTR_CAPS_SUFFIX "capability"
- #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
- 
-+/* PaX namespace */
-+#define XATTR_PAX_SUFFICE "pax"
-+#define XATTR_PAX XATTR_USER_PREFIX XATTR_PAX_SUFFICE
-+
- #ifdef  __KERNEL__
- 
- #include <linux/types.h>
-diff --git a/security/Kconfig b/security/Kconfig
-index de3cb0d..a3199ed 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -65,6 +65,11 @@ config PAX_PT_PAX_FLAGS
- 	  If your toolchain does not support PT_PAX_FLAGS markings,
- 	  you can create one in most cases with 'paxctl -C'.
- 
-+config PAX_XT_PAX_FLAGS
-+	bool 'Use Extended Attribute marking'
-+	help
-+	  TODO: use xattr field 'user.pax' for markings
-+
- choice
- 	prompt 'MAC system integration'
- 	default PAX_HAVE_ACL_FLAGS