Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/doc/paxctl-ng.pod
blob: 99b79a1802e5ba1e641bb206db241f12df56f35a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

=head1 NAME

B<paxctl-ng> - get, set or create either PT_PAX or XATTR_PAX flags

=head1 SYNOPSIS

B<paxctl-ng> -PpEeMmRrXxSs|-Z|-z [-L|-l] [-v] ELF

B<paxctl-ng> -C|-c|-d [-v] ELF

B<paxctl-ng> -F|-f [-v] ELF

B<paxctl-ng> -L|-l

B<paxctl-ng> [-h]

=head1 DESCRIPTION

B<paxctl-ng> is used to get, set or create the PaX flags on ELF executables which
determine the memory restrictions on process(es) spawned from them when run under
a PaX enabled kernel.  B<paxctl-ng> manages two types of markings, either the older
style PT_PAX markings which put the flags in an ELF program header named PAX_FLAGS,
or the newer style XATTR_PAX markings which put the flags in an extended attribute
field named user.pax.flags on the filesystem.  Whenever possible, B<paxctl-ng>
will try to set both PT_PAX and XATTR_PAX to the same flags.

There are drawbacks to both PT_PAX and XATTR_PAX markings.  PT_PAX will not work on
ELF binaries which do not already have a PAX_FLAGS program header.  Unlike the original
tool, B<paxctl>, which could be instructed to try to add this header or convert a
GNU_STACK header, B<paxctl-ng> does not edit the ELF in any way, beyond setting the
PaX flags if and only if the PAX_FLAGS program header already exists.  Some ELF binaries
break when they are edited.  Since, B<paxctl-ng> will never to so, it is usually safe
to run it on such binaries.

Alternatively, XATTR_PAX requires filesystems that support extended attributes.
Most modern filesystems do so, but not all.  Furthermore, one must be careful when
moving ELF objects to ensure that the target filesystem or archive supports
extended attributes, otherwise they are lost, unlike PT_PAX markings which
are carried within the binary itself.

B<paxctl-ng> is opportunistic without taking control away from the user.  If both
a PAX_FLAGS program header and a user.pax.flags extended attribute field exist, then
both will be equally updated when the user modifies flags; unless the B<-L> or B<-l>
flags are given, in which case the markings are limiting to just PT_PAX or XATTR_PAX,
respectively.  If only one marking is possible, then only that marking will be updated.
Under no circumstances will B<paxctl-ng> create a PAX_FLAGS program header as B<paxctl>
does.  It will only attempt to create an extended attribute field if it is instructed
to do so with the B<-C> or B<-c> flags, and it will attempt to synchronize the PT_PAX
and XATTR_PAX markings if given the B<-F> or B<-f> flags.  Note that when copying PT_PAX
to XATTR_PAX with the B<-F> flag, if the user.pax.flags extended attribute field does
not exist, B<paxctl-ng> will create it as if given either the B<-C> or B<-c> flags.
Finally, if the user wishes, he can remove the extended attribute field by running
B<paxctl-ng> with the B<-d> flag.

=head1 OPTIONS

=over

=item B<-P> or B<-p>   Enable or disable PAGEEXEC

=item B<-S> or B<-s>   Enable or disable SEGMEXEC

=item B<-M> or B<-m>   Enable or disable MPROTECT

=item B<-E> or B<-e>   Enable or disable EMUTRAMP

=item B<-R> or B<-r>   Enable or disable RANDMMAP

=item B<-X> or B<-x>   Enable or disable RANDEXEC

If both enabling and disabling flags are set for one item, eg. -Pp for PAGEEXEC, then the default setting '-' is used.

=item B<-Z> Set most secure settings (PSMeRx).

=item B<-z> Set default setting (------).

=item B<-C> Create XATTR_PAX markings with the most secure PaX settings.

=item B<-c> Create XATTR_PAX markings with the default PaX settings.

=item B<-d> Delete XATTR_PAX field, "user.pax.flags".

=item B<-F> Copy PT_PAX flags to XATTR_PAX, if possible.

=item B<-f> Copy XATTR_PAX flags to PT_PAX, if possible.

=item B<-L> When given with other flags, only set PT_PAX flags, if possible.  When given alone, return EXIT_SUCCESS if PT_PAX is supported, else return EXIT_FAILURE.

=item B<-l> When given with other flags, only set XATTR_PAX flags, if possible.  When given alone, return EXIT_SUCCESS if XATTR_PAX is supported, else return EXIT_FAILURE.

=item B<-v> View the flags

=item B<-h> Print out a short help message and exit.

=back

=head1 HOMEPAGE

http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml

=head1 REPORTING BUGS

Please report bugs at http://bugs.gentoo.org.

=head1 SEE ALSO

B<scanelf>(1), B<dumpelf>(1), B<paxctl>(1), B<pspax>(1), B<fix-gnustack>(1).

=head1 AUTHORS

B<Anthony G. Basile> <blueness@gentoo.org>