NAME
paxctl —
list and modify PaX flags
associated with an ELF program
SYNOPSIS
DESCRIPTION
The
paxctl utility is used to list and manipulate PaX flags
associated with an ELF program. The PaX flags signify to the loader the
privilege protections to be applied to mapped memory pages, and fuller
explanations of the specific protections can be found in the
security(7) manpage.
Each flag can be prefixed either with a “+” or a “-”
sign to add or remove the flag, respectively.
The following flags are available:
-
-
- a
- Explicitly disable PaX ASLR (Address Space Layout
Randomization) for program.
-
-
- A
- Explicitly enable PaX ASLR for
program.
-
-
- g
- Explicitly disable PaX Segvguard for
program.
-
-
- G
- Explicitly enable PaX Segvguard for
program.
-
-
- m
- Explicitly disable PaX MPROTECT
(mprotect(2) restrictions)
for program.
-
-
- M
- Explicitly enable PaX MPROTECT
(mprotect(2) restrictions)
for program.
To view existing flags on a file, execute
paxctl without any
flags.
SEE ALSO
mprotect(2),
sysctl(3),
options(4),
elf(5),
security(7),
sysctl(8),
fileassoc(9)
HISTORY
The
paxctl utility first appeared in
NetBSD
4.0.
The
paxctl utility is modeled after a tool of the same name
available for Linux from the PaX project.
AUTHORS
Elad Efrat
<
elad@NetBSD.org>
Christos Zoulas
<
christos@NetBSD.org>
BUGS
The
paxctl utility currently uses
elf(5) “note” sections
to mark executables as having PaX flags enabled. This will be done using
fileassoc(9) in the future so
that we can control who does the marking and not altering the binary file
signature. (Note this also means that at present any flags set do not survive
binary file upgrades.)