PAXCTL(8) BSD System Manager's Manual PAXCTL(8)NAME
paxctl -- list and modify PaX flags associated with an ELF program
SYNOPSIS
paxctl flags program ...
DESCRIPTION
The paxctl utility is used to list and manipulate PaX flags associated with an ELF program. The PaX flags signify to the loader the privi-
lege protections to be applied to mapped memory pages, and fuller explanations of the specific protections can be found in the security(7)
manpage.
Each flag can be prefixed either with a ``+'' or a ``-'' sign to add or remove the flag, respectively.
The following flags are available:
a Explicitly disable PaX ASLR (Address Space Layout Randomization) for program.
A Explicitly enable PaX ASLR for program.
g Explicitly disable PaX Segvguard for program.
G Explicitly enable PaX Segvguard for program.
m Explicitly disable PaX MPROTECT (mprotect(2) restrictions) for program.
M Explicitly enable PaX MPROTECT (mprotect(2) restrictions) for program.
To view existing flags on a file, execute paxctl without any flags.
SEE ALSO mprotect(2), sysctl(3), options(4), elf(5), security(7), sysctl(8), fileassoc(9)HISTORY
The paxctl utility first appeared in NetBSD 4.0.
The paxctl utility is modeled after a tool of the same name available for Linux from the PaX project.
AUTHORS
Elad Efrat <elad@NetBSD.org>
Christos Zoulas <christos@NetBSD.org>
BUGS
The paxctl utility currently uses elf(5) ``note'' sections to mark executables as PaX Segvguard enabled. This will be done using
fileassoc(9) in the future so that we can control who does the marking and not altering the binary file signature.
BSD September 17, 2009 BSD
Check Out this Related Man Page
elf_flag(3E)elf_flag(3E)NAME
elf_flagdata, elf_flagehdr, elf_flagelf, elf_flagphdr, elf_flagscn, elf_flagshdr - manipulate flags
SYNOPSIS
[flag... ] file... [library] ...
DESCRIPTION
These functions manipulate the flags associated with various structures of an ELF file. Given an ELF descriptor elf, a data descriptor
data, or a section descriptor scn, the functions may set or clear the associated status bits, returning the updated bits. A null descriptor
is allowed, to simplify error handling; all functions return zero for this degenerate case.
cmd may have the following values:
The functions clear the bits that are asserted in
flags. Only the non-zero bits in flags are cleared; zero bits do not change the status of the descriptor.
The functions set the bits that are asserted
in flags. Only the non-zero bits in flags are set; zero bits do not change the status of the descriptor.
Descriptions of the defined flags bits appear below.
When the program intends to write an ELF
file, this flag asserts the associated information needs to be written to the file. Thus, for example, a program that
wished to update the ELF header of an existing file would call with this bit set in flags and cmd equal to A later call
to would write the marked header to the file.
Normally, the library decides how to arrange
an output file. That is, it automatically decides where to place sections, how to align them in the file, etc. If this
bit is set for an ELF descriptor, the program assumes responsibility for determining all file positions. This bit is
meaningful only for and applies to the entire file associated with the descriptor.
When a flag bit is set for an item, it affects all the subitems as well. Thus, for example, if the program sets the bit with the entire
logical file is ``dirty.''
EXAMPLES
The following fragment shows how one might mark the ELF header to be written to the output file.
SEE ALSO elf(3E), elf_end(3E), elf_getdata(3E), elf_getehdr(3E), elf_update(3E).
elf_flag(3E)