Hey Guys,
I'm interested in your thoughts on having every hunk in the entire grsecurity patch wrapped in ifdef or ifndef statements as needed for it's context. This way, disabling CONFIG_PAX and/or CONFIG_GRKERNSEC will have the same effect as if the patch wasn't even there in the first place; it skips over the code at compile time.
Now for grsecurity itself (w/o pax) there is the grsec_disabled.c which is used to replace all the functions with simple returns (effectivly making that function as if it didn't exist) which I guess is OK. Not so much worried about this one, and it only touches 123 files.
It CONFIG_PAX that I'm more concerned with. The PAX patch spans a grand total of 480 files in the kernel source, and *does* change kernel behaviour even when completly turned off (an example; see the thread on Xen viewtopic.php?f=1&t=1913&start=15 )
This basically boils down to two things:
1) is this something you guys want to do
2) if not sooner then later, would you mind if I made these changes and submitted the patch to you for review?
Thoughts / criticism welcome.