swift 05/06/11 13:20:42 Modified: xml/htdocs/doc/en/handbook/draft pax-utils.xml Log: Add pspax chapter
Revision Changes Path 1.6 +177 -1 xml/htdocs/doc/en/handbook/draft/pax-utils.xml file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/handbook/draft/pax-utils.xml?rev=1.6&content-type=text/x-cvsweb-markup&cvsroot=gentoo plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/handbook/draft/pax-utils.xml?rev=1.6&content-type=text/plain&cvsroot=gentoo diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/handbook/draft/pax-utils.xml.diff?r1=1.5&r2=1.6&cvsroot=gentoo Index: pax-utils.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/handbook/draft/pax-utils.xml,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- pax-utils.xml 9 Jun 2005 07:02:08 -0000 1.5 +++ pax-utils.xml 11 Jun 2005 13:20:42 -0000 1.6 @@ -1,6 +1,6 @@ <?xml version='1.0' encoding="UTF-8"?> -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/handbook/draft/pax-utils.xml,v 1.5 2005/06/09 07:02:08 swift Exp $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/handbook/draft/pax-utils.xml,v 1.6 2005/06/11 13:20:42 swift Exp $ --> <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> @@ -469,4 +469,180 @@ </section> </chapter> +<chapter id="pspax"> +<title>Listing PaX Flags and Capabilities</title> +<section> +<title>About PaX</title> +<body> + +<p> +<uri link="http://pax.grsecurity.net";>PaX</uri> is a sub-project of the <uri +link="http://www.grsecurity.net";>grsecurity</uri> project. Quoting the <uri +link="http://pax.grsecurity.net/docs/pax.txt";>PaX document</uri>, its main +goal is "to research various defense mechanisms against the exploitation of +software bugs that give an attacker arbitrary read/write access to the +attacked task's address space. This class of bugs contains among others +various forms of buffer overflow bugs (be they stack or heap based), user +supplied format string bugs, etc." +</p> + +<p> +To be able to benefit from these defense mechanisms, you need to run a Linux +kernel patched with the latest PaX code. The <uri +link="http://hardened.gentoo.org";>Hardened Gentoo</uri> project supports PaX and +its parent project, grsecurity. Supported kernel packages are +<c>sys-kernel/hardened-sources</c> and <c>sys-kernel/grsec-sources</c>. +</p> + +<p> +The Gentoo/Hardened project has a <uri +link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri> +for your reading pleasure. +</p> + +</body> +</section> +<section> +<title>Flags and Capabilities</title> +<body> + +<p> +If your tool chain supports it, your binaries can have additional PaX flags in +their Program Header. The following flags are supported: +</p> + +<table> +<tr> + <th>Flag</th> + <th>Name</th> + <th>Description</th> +</tr> +<tr> + <ti>P</ti> + <ti>PAGEEXEC</ti> + <ti> + Refuse code execution on writable pages based on the NX bit + (or emulated NX bit) + </ti> +</tr> +<tr> + <ti>S</ti> + <ti>SEGMEXEC</ti> + <ti> + Refuse code execution on writable pages based on the + segmentation logic of IA-32 + </ti> +</tr> +<tr> + <ti>E</ti> + <ti>EMUTRAMP</ti> + <ti> + Allow known code execution sequences on writable pages that + should not cause any harm + </ti> +</tr> +<tr> + <ti>M</ti> + <ti>MPROTECT</ti> + <ti> + Prevent the creation of new executable code to the process + address space + </ti> +</tr> +<tr> + <ti>R</ti> + <ti>RANDMMAP</ti> + <ti> + Randomize the stack base to prevent certain stack overflow + attacks from being successful + </ti> +</tr> +<tr> + <ti>X</ti> + <ti>RANDEXEC</ti> + <ti> + Randomize the address where the application maps to to + prevent certain attacks from being exploitable + </ti> +</tr> +</table> + +<p> +The default Linux kernel also supports certain capabilities, grouped in the +so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those +capabilities in our <uri +link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document. +</p> + +</body> +</section> +<section> +<title>Using pspax</title> +<body> + +<p> +The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the +run-time capabilities of all programs you have permission for. On Linux kernels +with additional support for extended attributes (such as SELinux) those +attributes are shown as well. +</p> + +<p> +When ran, <c>pspax</c> shows the following information: +</p> + +<table> +<tr> + <th>Column</th> + <th>Description</th> +</tr> +<tr> + <ti>USER</ti> + <ti>Owner of the process</ti> +</tr> +<tr> + <ti>PID</ti> + <ti>Process id</ti> +</tr> +<tr> + <ti>PAX</ti> + <ti>Run-time PaX flags (if applicable)</ti> +</tr> +<tr> + <ti>MAPS</ti> + <ti>Write/eXecute markings for the process map</ti> +</tr> +<tr> + <ti>ELF_TYPE</ti> + <ti>Process executable type: ET_DYN or ET_EXEC</ti> +</tr> +<tr> + <ti>NAME</ti> + <ti>Name of the process</ti> +</tr> +<tr> + <ti>CAPS</ti> + <ti>POSIX.1e capabilities (see note)</ti> +</tr> +<tr> + <ti>ATTR</ti> + <ti>Extended attributes (if applicable)</ti> +</tr> +</table> + +<note> +<c>pspax</c> only displays these capabilities when it is linked with +the external capabilities library. This requires you to build <c>pax-utils</c> +with -DWANT_SYSCAP. +</note> + +<p> +By default, <c>pspax</c> does not show any kernel processes. If you want those +to be taken as well, use the <c>-a</c> switch. +</p> + +</body> +</section> +</chapter> + </guide> -- [email protected] mailing list
