From a study of Linux 2.6.5 source code, and some patches.
This is based on studying the source, not running tests, so there
may be errors.
Requested PROT flags | --- R-- -W- RW- --X R-X -WX RWX
ppc | ---(1) r-x rwx(5) rwx r-x(5) r-x rwx(5) rwx
ppc64 | ---(1) r-x rwx(5) rwx r-x(5) r-x rwx(5) rwx
ppc (PaX) | ---(1) r-- rw- rw- r-x r-x rw-(2) rw-(2)
ppc64 (PaX for 2.6) | ---(1) r-- rw- rw- r-x r-x rw-(2) rw-(2)
(1) - In kernel, maybe these pages are readable using "write()"?
In each case that is labelled, I'm not sure from reading the code.
(Pages are always readable using ptrace(), that's ok, but write()
and other kernel reads shouldn't be able to read PROT_NONE pages).
Thus PROT_NONE pages aren't readable from userspace, but it appears
they _are_ readable from kernel space. Is this correct?
No. Kernel accesses to pages in the user portion of the address space
(0 .. TASK_SIZE-1) are done using the user permissions. On classic
PPC this is implemented (in part) by setting Ks = Kp = 1 in the
segment descriptors for the user segments, which tells the hardware to
check the access as if it was a user access even in supervisor mode.
We do the same on ppc64 as well.