PAXCTL-NG
Section: Documentation for elfix (1)
Updated: 2018-12-13
Page Index
NAME
paxctl-ng - get, set or create either PT_PAX or XATTR_PAX flags
SYNOPSIS
paxctl-ng -PpEeMmRrXxSs|-Z|-z [-L|-l] [-v]
ELF
paxctl-ng -C|-c|-d [-v] ELF
paxctl-ng -F|-f [-v] ELF
paxctl-ng -L|-l
paxctl-ng [-h]
DESCRIPTION
paxctl-ng is used to get, set or create the PaX flags on
ELF executables which
determine the memory restrictions on process(es) spawned from them when run under
a PaX enabled kernel.
paxctl-ng manages two types of markings, either the older
style
PT_PAX markings which put the flags in an
ELF program header named
PAX_FLAGS,
or the newer style
XATTR_PAX markings which put the flags in an extended attribute
field named user.pax.flags on the filesystem. Whenever possible,
paxctl-ng
will try to set both
PT_PAX and
XATTR_PAX to the same flags.
There are drawbacks to both PT_PAX and XATTR_PAX markings. PT_PAX will not work on
ELF binaries which do not already have a PAX_FLAGS program header. Unlike the original
tool, paxctl, which could be instructed to try to add this header or convert a
GNU_STACK header, paxctl-ng does not edit the ELF in any way, beyond setting the
PaX flags if and only if the PAX_FLAGS program header already exists. Some ELF binaries
break when they are edited. Since, paxctl-ng will never to so, it is usually safe
to run it on such binaries.
Alternatively, XATTR_PAX requires filesystems that support extended attributes.
Most modern filesystems do so, but not all. Furthermore, one must be careful when
moving ELF objects to ensure that the target filesystem or archive supports
extended attributes, otherwise they are lost, unlike PT_PAX markings which
are carried within the binary itself.
paxctl-ng is opportunistic without taking control away from the user. If both
a PAX_FLAGS program header and a user.pax.flags extended attribute field exist, then
both will be equally updated when the user modifies flags; unless the -L or -l
flags are given, in which case the markings are limiting to just PT_PAX or XATTR_PAX,
respectively. If only one marking is possible, then only that marking will be updated.
Under no circumstances will paxctl-ng create a PAX_FLAGS program header as paxctl
does. It will only attempt to create an extended attribute field if it is instructed
to do so with the -C or -c flags, and it will attempt to synchronize the PT_PAX
and XATTR_PAX markings if given the -F or -f flags. Note that when copying PT_PAX
to XATTR_PAX with the -F flag, if the user.pax.flags extended attribute field does
not exist, paxctl-ng will create it as if given either the -C or -c flags.
Finally, if the user wishes, he can remove the extended attribute field by running
paxctl-ng with the -d flag.
OPTIONS
- -P or -p Enable or disable PAGEEXEC
-
- -S or -s Enable or disable SEGMEXEC
-
- -M or -m Enable or disable MPROTECT
-
- -E or -e Enable or disable EMUTRAMP
-
- -R or -r Enable or disable RANDMMAP
-
- -X or -x Enable or disable RANDEXEC
-
If both enabling and disabling flags are set for one item, eg. -Pp for PAGEEXEC, then the default setting '-' is used.
- -Z Set most secure settings (PSMeRx).
-
- -z Set default setting (------).
-
- -C Create XATTR_PAX markings with the most secure PaX settings.
-
- -c Create XATTR_PAX markings with the default PaX settings.
-
- -d Delete XATTR_PAX field, "user.pax.flags".
-
- -F Copy PT_PAX flags to XATTR_PAX, if possible.
-
- -f Copy XATTR_PAX flags to PT_PAX, if possible.
-
- -L When given with other flags, only set PT_PAX flags, if possible. When given alone, return EXIT_SUCCESS if PT_PAX is supported, else return EXIT_FAILURE.
-
- -l When given with other flags, only set XATTR_PAX flags, if possible. When given alone, return EXIT_SUCCESS if XATTR_PAX is supported, else return EXIT_FAILURE.
-
- -v View the flags
-
- -h Print out a short help message and exit.
-
HOMEPAGE
http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml
REPORTING BUGS
Please report bugs at
http://bugs.gentoo.org.
SEE ALSO
scanelf(1),
dumpelf(1),
paxctl(1),
pspax(1),
fix-gnustack(1).
AUTHORS
Anthony G. Basile <
blueness@gentoo.org>