1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
=head1 NAME
B<paxctl-ng> - get or set the PaX flags for both PT_PAX and XT_PAX markings
=head1 SYNOPSIS
B<paxctl-ng> [-PpEeMmRrXxSs] [-v] ELF
B<paxctl-ng> -Z [-v] ELF
B<paxctl-ng> -z [-v] ELF
B<paxctl-ng> -C [-v] ELF
B<paxctl-ng> -c [-v] ELF
B<paxctl-ng> -F [-v] ELF
B<paxctl-ng> -f [-v] ELF
B<paxctl-ng> -L [-v] ELF
B<paxctl-ng> -l [-v] ELF
B<paxctl-ng> [-h]
=head1 DESCRIPTION
B<paxctl-ng> is used to get or set the PaX flags on ELF objects which determine
the memory restrictions on the process spawned from those objects. B<paxctl-ng>
manages two types of markings, either the older style PT_PAX markings which put the
flags in an ELF program header named PT_PAX, or the newer style XT_PAX markings
which put the flags in an extended attribute field called "user.pax" on the filesystem.
Whenever possible, B<paxctl-ng> will set both PT_PAX and XT_PAX to the same flags.
There are drawbacks to both PT_PAX and XT_PAX markings. PT_PAX will not work on
ELF binaries which do not already have a PT_PAX program header. Unlike the original
tool, B<paxctl>, which would try to add this header or convert a GNU_STACK header,
B<paxctl-ng> does not edit the ELF in any way, beyond setting the PaX flags if and
only if the PT_PAX program header already exists. Some ELF binaries break when
they are edited. Since, B<paxctl-ng> will never to so, it is always safe to run
it on such binaries.
Alternatively, XT_PAX requires a filesystem support Extended Attributes. Most
modern filesystems do so, but not all. Furthermore, one must be careful when
moving ELF objects and ensure that the target filesystem or archive supports
Extended Attributes, otherwise these are lost, unlike PT_PAX markings which
are carried within the binary itself.
B<paxctl-ng> is opportunistic without taking control away from the user. If both
a PT_PAX program header and XT_PAX extended attribute field "user.pax" exist, then
both markings will be equally updated when the user modifies the flags, unless the
B<-L> or B<-l> flags are given, limiting the markigs to just PT_PAX or XT_PAX. If
only one marking is possible, then only that marking will be updated. Under no
circumstances will B<paxctl-ng> create a PT_PAX program header as B<paxctl> does.
It will only attempt to create an XT_PAX extended attribute field if it is instructed
to do so with the -C or -c flag, and it will attempt to synchronize the PT_PAX and
XT_PAX markings if given the B<-F> or B<-f> flag.
=head1 OPTIONS
=over
=item B<-P> or B<-p> Enable or disable PAGEEXEC
=item B<-S> or B<-s> Enable or disable SEGMEXEC
=item B<-M> or B<-m> Enable or disable MPROTECT
=item B<-E> or B<-e> Enable or disable EMUTRAMP
=item B<-R> or B<-r> Enable or disable RANDMMAP
=item B<-X> or B<-x> Enable or disable RANDEXEC
=item
If both enabling and disabling flags are set for one item,
eg. -Pp for PAGEEXEC, then the default setting - is used.
=item B<-Z> Set most secure settings (PSMeRx)
=item B<-z> Set default setting (------)
=item B<-C> Create XT_PAX xattr with the most secure PaX settings
=item B<-c> Create XP_PAX xattr with the default PaX settings
=item B<-F> Copy PT_PAX flags to XT_PAX, if possible
=item B<-f> Copy XT_PAX flags to PT_PAX, if possible
=item B<-L> Only set PT_APX flags, if both are possible
=item B<-l> Only set XT_PAX flags, if both are possible
=item B<-v> View the flags
=item B<-h> Print out a short help message and exit.
=back
=head1 HOMEPAGE
http://dev.gentoo.org/~blueness/elfix
=head1 REPORTING BUGS
Please report bugs at http://bugs.gentoo.org.
=head1 SEE ALSO
B<scanelf>(1), B<dumpelf>(1), B<paxctl>(1), B<pspax>(1), B<fix-gnustack>(1).
=head1 AUTHORS
B<Anthony G. Basile> <blueness@gentoo.org>
|
GitWeb