www.LinuxHowtos.org
PAXCTL-NG
Section: Documentation for elfix (1)Updated: 2015-10-27
Index Return to Main Contents
NAME
paxctl-ng - get, set or create either PT_PAX or XATTR_PAX flagsSYNOPSIS
paxctl-ng -PpEeMmRrXxSs|-Z|-z [-L|-l] [-v] ELFpaxctl-ng -C|-c|-d [-v] ELF
paxctl-ng -F|-f [-v] ELF
paxctl-ng -L|-l
DESCRIPTION
paxctl-ng is used to get, set or create the PaX flags on ELF executables which determine the memory restrictions on process(es) spawned from them when run under a PaX enabled kernel. paxctl-ng manages two types of markings, either the older style PT_PAX markings which put the flags in an ELF program header named PAX_FLAGS, or the newer style XATTR_PAX markings which put the flags in an extended attribute field named user.pax.flags on the filesystem. Whenever possible, paxctl-ng will try to set both PT_PAX and XATTR_PAX to the same flags.There are drawbacks to both PT_PAX and XATTR_PAX markings. PT_PAX will not work on ELF binaries which do not already have a PAX_FLAGS program header. Unlike the original tool, paxctl, which could be instructed to try to add this header or convert a GNU_STACK header, paxctl-ng does not edit the ELF in any way, beyond setting the PaX flags if and only if the PAX_FLAGS program header already exists. Some ELF binaries break when they are edited. Since, paxctl-ng will never to so, it is usually safe to run it on such binaries.
Alternatively, XATTR_PAX requires filesystems that support extended attributes. Most modern filesystems do so, but not all. Furthermore, one must be careful when moving ELF objects to ensure that the target filesystem or archive supports extended attributes, otherwise they are lost, unlike PT_PAX markings which are carried within the binary itself.
paxctl-ng is opportunistic without taking control away from the user. If both a PAX_FLAGS program header and a user.pax.flags extended attribute field exist, then both will be equally updated when the user modifies flags; unless the -L or -l flags are given, in which case the markings are limiting to just PT_PAX or XATTR_PAX, respectively. If only one marking is possible, then only that marking will be updated. Under no circumstances will paxctl-ng create a PAX_FLAGS program header as paxctl does. It will only attempt to create an extended attribute field if it is instructed to do so with the -C or -c flags, and it will attempt to synchronize the PT_PAX and XATTR_PAX markings if given the -F or -f flags. Note that when copying PT_PAX to XATTR_PAX with the -F flag, if the user.pax.flags extended attribute field does not exist, paxctl-ng will create it as if given either the -C or -c flags. Finally, if the user wishes, he can remove the extended attribute field by running paxctl-ng with the -d flag.
OPTIONS
- -P or -p Enable or disable PAGEEXEC
- -S or -s Enable or disable SEGMEXEC
- -M or -m Enable or disable MPROTECT
- -E or -e Enable or disable EMUTRAMP
- -R or -r Enable or disable RANDMMAP
- -X or -x Enable or disable RANDEXEC
- If both enabling and disabling flags are set for one item, eg. -Pp for PAGEEXEC, then the default setting '-' is used.
- -Z Set most secure settings (PSMeRx).
- -z Set default setting (------).
- -C Create XATTR_PAX markings with the most secure PaX settings.
- -c Create XATTR_PAX markings with the default PaX settings.
- -d Delete XATTR_PAX field, user.pax.flags.
- -F Copy PT_PAX flags to XATTR_PAX, if possible.
- -f Copy XATTR_PAX flags to PT_PAX, if possible.
- -L When given with other flags, only set PT_PAX flags, if possible. When given alone, return EXIT_SUCCESS if PT_PAX is supported, else return EXIT_FAILURE.
- -l When given with other flags, only set XATTR_PAX flags, if possible. When given alone, return EXIT_SUCCESS if XATTR_PAX is supported, else return EXIT_FAILURE.
- -v View the flags
- -h Print out a short help message and exit.
HOMEPAGE
http://www.gentoo.org/proj/en/hardened/pax-quickstart.xmlREPORTING BUGS
Please report bugs at http://bugs.gentoo.org.SEE ALSO
scanelf(1), dumpelf(1), paxctl(1), pspax(1), fix-gnustack(1).AUTHORS
Anthony G. Basile <blueness@gentoo.org>