| @@ -1,117 +1,117 @@ | | | @@ -1,117 +1,117 @@ |
1 | .\" $NetBSD: paxctl.8,v 1.11 2009/09/17 08:07:17 plunky Exp $ | | 1 | .\" $NetBSD: paxctl.8,v 1.12 2011/04/28 11:57:08 wiz Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright 2006 Elad Efrat <elad@NetBSD.org> | | 3 | .\" Copyright 2006 Elad Efrat <elad@NetBSD.org> |
4 | .\" Copyright 2008 Christos Zoulas <christos@NetBSD.org> | | 4 | .\" Copyright 2008 Christos Zoulas <christos@NetBSD.org> |
5 | .\" All rights reserved. | | 5 | .\" All rights reserved. |
6 | .\" | | 6 | .\" |
7 | .\" 1. Redistributions of source code must retain the above copyright | | 7 | .\" 1. Redistributions of source code must retain the above copyright |
8 | .\" notice, this list of conditions and the following disclaimer. | | 8 | .\" notice, this list of conditions and the following disclaimer. |
9 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 9 | .\" 2. Redistributions in binary form must reproduce the above copyright |
10 | .\" notice, this list of conditions and the following disclaimer in the | | 10 | .\" notice, this list of conditions and the following disclaimer in the |
11 | .\" documentation and/or other materials provided with the distribution. | | 11 | .\" documentation and/or other materials provided with the distribution. |
12 | .\" 3. The name of the author may not be used to endorse or promote products | | 12 | .\" 3. The name of the author may not be used to endorse or promote products |
13 | .\" derived from this software without specific prior written permission. | | 13 | .\" derived from this software without specific prior written permission. |
14 | .\" | | 14 | .\" |
15 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | | 15 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
16 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | | 16 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
17 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | | 17 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
18 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | | 18 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
19 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | | 19 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
20 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | | 20 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
21 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | | 21 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
22 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | | 22 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
23 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | | 23 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
24 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | | 24 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 | .\" | | 25 | .\" |
26 | .Dd September 17, 2009 | | 26 | .Dd September 17, 2009 |
27 | .Dt PAXCTL 8 | | 27 | .Dt PAXCTL 8 |
28 | .Os | | 28 | .Os |
29 | .Sh NAME | | 29 | .Sh NAME |
30 | .Nm paxctl | | 30 | .Nm paxctl |
31 | .Nd list and modify PaX flags associated with an ELF program | | 31 | .Nd list and modify PaX flags associated with an ELF program |
32 | .Sh SYNOPSIS | | 32 | .Sh SYNOPSIS |
33 | .Nm | | 33 | .Nm |
34 | .Ar flags | | 34 | .Ar flags |
35 | .Ar program ... | | 35 | .Ar program ... |
36 | .Sh DESCRIPTION | | 36 | .Sh DESCRIPTION |
37 | The | | 37 | The |
38 | .Nm | | 38 | .Nm |
39 | utility is used to list and manipulate PaX flags associated with an ELF | | 39 | utility is used to list and manipulate PaX flags associated with an ELF |
40 | program. | | 40 | program. |
41 | The PaX flags signify to the loader the privilege protections to be applied | | 41 | The PaX flags signify to the loader the privilege protections to be applied |
42 | to mapped memory pages, and fuller explanations of the specific protections | | 42 | to mapped memory pages, and fuller explanations of the specific protections |
43 | can be found in the | | 43 | can be found in the |
44 | .Xr security 8 | | 44 | .Xr security 7 |
45 | manpage. | | 45 | manpage. |
46 | .Pp | | 46 | .Pp |
47 | Each flag can be prefixed either with a | | 47 | Each flag can be prefixed either with a |
48 | .Dq + | | 48 | .Dq + |
49 | or a | | 49 | or a |
50 | .Dq - | | 50 | .Dq - |
51 | sign to add or remove the flag, respectively. | | 51 | sign to add or remove the flag, respectively. |
52 | .Pp | | 52 | .Pp |
53 | The following flags are available: | | 53 | The following flags are available: |
54 | .Bl -tag -width flag | | 54 | .Bl -tag -width flag |
55 | .It a | | 55 | .It a |
56 | Explicitly disable PaX ASLR (Address Space Layout Randomization) for | | 56 | Explicitly disable PaX ASLR (Address Space Layout Randomization) for |
57 | .Ar program . | | 57 | .Ar program . |
58 | .It A | | 58 | .It A |
59 | Explicitly enable PaX ASLR for | | 59 | Explicitly enable PaX ASLR for |
60 | .Ar program . | | 60 | .Ar program . |
61 | .It g | | 61 | .It g |
62 | Explicitly disable PaX Segvguard for | | 62 | Explicitly disable PaX Segvguard for |
63 | .Ar program . | | 63 | .Ar program . |
64 | .It G | | 64 | .It G |
65 | Explicitly enable PaX Segvguard for | | 65 | Explicitly enable PaX Segvguard for |
66 | .Ar program . | | 66 | .Ar program . |
67 | .It m | | 67 | .It m |
68 | Explicitly disable PaX MPROTECT | | 68 | Explicitly disable PaX MPROTECT |
69 | .Po Xr mprotect 2 | | 69 | .Po Xr mprotect 2 |
70 | restrictions | | 70 | restrictions |
71 | .Pc | | 71 | .Pc |
72 | for | | 72 | for |
73 | .Ar program . | | 73 | .Ar program . |
74 | .It M | | 74 | .It M |
75 | Explicitly enable PaX MPROTECT | | 75 | Explicitly enable PaX MPROTECT |
76 | .Po Xr mprotect 2 | | 76 | .Po Xr mprotect 2 |
77 | restrictions | | 77 | restrictions |
78 | .Pc | | 78 | .Pc |
79 | for | | 79 | for |
80 | .Ar program . | | 80 | .Ar program . |
81 | .El | | 81 | .El |
82 | .Pp | | 82 | .Pp |
83 | To view existing flags on a file, execute | | 83 | To view existing flags on a file, execute |
84 | .Nm | | 84 | .Nm |
85 | without any flags. | | 85 | without any flags. |
86 | .Sh SEE ALSO | | 86 | .Sh SEE ALSO |
87 | .Xr mprotect 2 , | | 87 | .Xr mprotect 2 , |
88 | .Xr sysctl 3 , | | 88 | .Xr sysctl 3 , |
89 | .Xr options 4 , | | 89 | .Xr options 4 , |
90 | .Xr elf 5 , | | 90 | .Xr elf 5 , |
91 | .Xr security 8 , | | 91 | .Xr security 7 , |
92 | .Xr sysctl 8 , | | 92 | .Xr sysctl 8 , |
93 | .Xr fileassoc 9 | | 93 | .Xr fileassoc 9 |
94 | .Sh HISTORY | | 94 | .Sh HISTORY |
95 | The | | 95 | The |
96 | .Nm | | 96 | .Nm |
97 | utility first appeared in | | 97 | utility first appeared in |
98 | .Nx 4.0 . | | 98 | .Nx 4.0 . |
99 | .Pp | | 99 | .Pp |
100 | The | | 100 | The |
101 | .Nm | | 101 | .Nm |
102 | utility is modeled after a tool of the same name available for Linux from the | | 102 | utility is modeled after a tool of the same name available for Linux from the |
103 | PaX project. | | 103 | PaX project. |
104 | .Sh AUTHORS | | 104 | .Sh AUTHORS |
105 | .An Elad Efrat Aq elad@NetBSD.org | | 105 | .An Elad Efrat Aq elad@NetBSD.org |
106 | .An Christos Zoulas Aq christos@NetBSD.org | | 106 | .An Christos Zoulas Aq christos@NetBSD.org |
107 | .Sh BUGS | | 107 | .Sh BUGS |
108 | The | | 108 | The |
109 | .Nm | | 109 | .Nm |
110 | utility currently uses | | 110 | utility currently uses |
111 | .Xr elf 5 | | 111 | .Xr elf 5 |
112 | .Dq note | | 112 | .Dq note |
113 | sections to mark executables as PaX Segvguard enabled. | | 113 | sections to mark executables as PaX Segvguard enabled. |
114 | This will be done using | | 114 | This will be done using |
115 | .Xr fileassoc 9 | | 115 | .Xr fileassoc 9 |
116 | in the future so that we can control who does the marking and | | 116 | in the future so that we can control who does the marking and |
117 | not altering the binary file signature. | | 117 | not altering the binary file signature. |