man paxctl (Commandes) - user-space utility to control PaX flags

NAME

paxctl - user-space utility to control PaX flags

SYNTAX

paxctl <flags> <files>

DESCRIPTION

paxctl is a tool that allows PaX flags to be modified on a per-binary basis. PaX is part of common security-enhancing kernel patches and secure distributions, such as GrSecurity or Adamantix and Hardened Gentoo, respectively. Your system needs to be running a properly patched and configured kernel for this program to have any effect.

-P
enforce paging based non-executable pages (PAGEEXEC)
-p
do not enforce paging based non-executable pages (NOPAGEEXEC)
-E
emulate trampolines (EMUTRAMP)
-e
do not emulate trampolines (NOEMUTRAMP)
-M
enforce secure memory protections (MPROTECT)
-m
do not enforce secure memory protections (NOMPROTECT)
-R
randomize memory regions (RANDMMAP)
-r
do not randomize memory regions (NORANDMMAP)
-X
randomize base address of normal (ET_EXEC) executables (RANDEXEC)
-x
do not randomize base address of normal (ET_EXEC) executables (NORANDEXEC)
-S
enforce segmentation based non-executable pages (SEGMEXEC)
-s
do not enforce segmentation based non-executable pages (NOSEGMEXEC)
-v
view flags
-z
restore default flags (further flags still apply)
-c
create the PT_PAX_FLAGS program header if it does not exist but PT_GNU_STACK does by converting the latter into the former
-q
suppress error messages
-Q
report flags in short format

CAVEATS

The old PaX flag location and control method have been obsoleted, if your kernel and binaries use it you have to use chpax(1) instead.

Converting PT_GNU_STACK into PT_PAX_FLAGS means that the information in the former is destroyed, in particular you must make sure that the EMUTRAMP PaX option is properly set in the newly created PT_PAX_FLAGS. The secure way is to disable EMUTRAMP first and if PaX reports stack execution attempts from nested function trampolines then enable it. Note also that the conversion creates PT_PAX_FLAGS in the same state that binutils/ld itself does (equivalent to -zex).

AUTHOR

Written by The PaX Team <pageexec@freemail.hu>

This manpage was adapted from the chpax manpage written by Martin F. Krafft <madduck@debian.org> for the Debian GNU/Linux Distribution, but may be used by others.

SEE ALSO

chpax(1), gradm(8)

PaX website: http://pax.grsecurity.net

GrSecurity website: http://www.grsecurity.net

Adamantix website: http://adamantix.org

Hardened Gentoo website: http://www.gentoo.org/proj/en/hardened