Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/doc/paxctl-ng.pod
diff options
context:
space:
mode:
Diffstat (limited to 'doc/paxctl-ng.pod')
-rw-r--r--doc/paxctl-ng.pod50
1 files changed, 47 insertions, 3 deletions
diff --git a/doc/paxctl-ng.pod b/doc/paxctl-ng.pod
index 3dcd7f7..90aac3d 100644
--- a/doc/paxctl-ng.pod
+++ b/doc/paxctl-ng.pod
@@ -1,6 +1,6 @@
=head1 NAME
-B<paxctl-ng> - get or set the PaX flags for both PT_PAX and XT_PAX
+B<paxctl-ng> - get or set the PaX flags for both PT_PAX and XT_PAX markings
=head1 SYNOPSIS
@@ -10,11 +10,47 @@ B<paxctl-ng> -Z [-v] ELF
B<paxctl-ng> -z [-v] ELF
+B<paxctl-ng> -C [-v] ELF
+
+B<paxctl-ng> -c [-v] ELF
+
+B<paxctl-ng> -F [-v] ELF
+
+B<paxctl-ng> -f [-v] ELF
+
B<paxctl-ng> [-h]
=head1 DESCRIPTION
-B<paxctl-ng> scans the program headers of ELF binaries or shared
+B<paxctl-ng> is used to get or set the PaX flags on ELF objects which determine
+the memory restrictions on the process spawned from those objects. B<paxctl-ng>
+manages two types of markings, either the older style PT_PAX markings which put the
+flags in an ELF program header named PT_PAX, or the newer style XT_PAX markings
+which put the flags in an extended attribute field called "user.pax" on the filesystem.
+Whenever possible, B<paxctl-ng> will set both PT_PAX and XT_PAX to the same flags.
+
+There are drawbacks to both PT_PAX and XT_PAX markings. PT_PAX will not work on
+ELF binaries which do not already have a PT_PAX program header. Unlike the original
+tool, B<paxctl>, which would try to add this header or convert a GNU_STACK header,
+B<paxctl-ng> does not edit the ELF in any way, beyond setting the PaX flags if and
+only if the PT_PAX program header already exists. Some ELF binaries break when
+they are edited. Since, B<paxctl-ng> will never to so, it is always safe to run
+it on such binaries.
+
+Alternatively, XT_PAX requires a filesystem support Extended Attributes. Most
+modern filesystems do so, but not all. Furthermore, one must be careful when
+moving ELF objects and ensure that the target filesystem or archive supports
+Extended Attributes, otherwise these are lost, unlike PT_PAX markings which
+are carried within the binary itself.
+
+B<paxctl-ng> is opportunistic without taking control away from the user. If both
+a PT_PAX program header and XT_PAX extended attribute field "user.pax" exist, and
+then both markings will be equally updated when the user modifies the flags. If
+only one marking exists, then only that marking will be updated. Under no circumstances
+will B<paxctl-ng> create a PT_PAX program header. It will attempt to create an XT_PAX
+extended attribute field if it is instructed to do so with the -C or -c flag,
+and it will attempt to synchronize the PT_PAX and XT_PAX markings if given the -F
+or -f flag.
=head1 OPTIONS
@@ -37,10 +73,18 @@ B<paxctl-ng> scans the program headers of ELF binaries or shared
If both enabling and disabling flags are set for one item,
eg. -Pp for PAGEEXEC, then the default setting - is used.
-=item B<-Z> Set most secure settings (PSMeRX)
+=item B<-Z> Set most secure settings (PSMeRx)
=item B<-z> Set default setting (------)
+=item B<-C> Create XT_PAX xattr with the most secure PaX settings
+
+=item B<-c> Create XP_PAX xattr with the default PaX settings
+
+=item B<-F> Copy PT_PAX flags to XT_PAX, if possible
+
+=item B<-f> Copy XT_PAX flags to PT_PAX, if possible
+
=item B<-v> View the flags
=item B<-h> Print out a short help message and exit.