CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: dholland Date: Mon Aug 21 00:41:49 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: paxctl(8): it is not a bug that paxctl settings are persistent. Nor is it a bug that they're applied to the file rather than stored in some magic secret database where they survive reinstalls, which the prior wording seems to suggest was the eventual intention. It is worth noting that they change the target file, so still say that. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/paxctl/paxctl.8 diff -u src/usr.sbin/paxctl/paxctl.8:1.21 src/usr.sbin/paxctl/paxctl.8:1.22 --- src/usr.sbin/paxctl/paxctl.8:1.21 Wed Aug 16 22:22:02 2023 +++ src/usr.sbin/paxctl/paxctl.8 Mon Aug 21 00:41:49 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: paxctl.8,v 1.21 2023/08/16 22:22:02 gutteridge Exp $ +.\" $NetBSD: paxctl.8,v 1.22 2023/08/21 00:41:49 dholland Exp $ .\" .\" Copyright 2006 Elad Efrat .\" Copyright 2008 Christos Zoulas @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 23, 2023 +.Dd August 20, 2023 .Dt PAXCTL 8 .Os .Sh NAME @@ -104,17 +104,17 @@ PaX project. .Sh AUTHORS .An Elad Efrat Aq Mt e...@netbsd.org .An Christos Zoulas Aq Mt chris...@netbsd.org -.Sh BUGS +.Sh RESTRICTIONS The .Nm -utility currently uses +utility uses .Xr elf 5 -note sections to mark executables as having PaX flags enabled. -This will be done using -.Xr fileassoc 9 -in the future so that we can control who does the marking and -not alter the binary file signature. -.Po -Note this also means that -at present any flags set do not survive binary file upgrades. -.Pc +note sections to mark executables with PaX flags. +This means that, as one might expect, the PaX settings do not persist +if the program file is replaced. +It also means that running +.Nm +changes the target executable, which can be undesirable in production. +In general, +.Nm +settings should be applied to programs at build time.
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: dholland Date: Mon Aug 21 00:41:49 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: paxctl(8): it is not a bug that paxctl settings are persistent. Nor is it a bug that they're applied to the file rather than stored in some magic secret database where they survive reinstalls, which the prior wording seems to suggest was the eventual intention. It is worth noting that they change the target file, so still say that. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: gutteridge Date: Wed Aug 16 22:22:02 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: paxctl.8: minor grammar/style corrections To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/paxctl/paxctl.8 diff -u src/usr.sbin/paxctl/paxctl.8:1.20 src/usr.sbin/paxctl/paxctl.8:1.21 --- src/usr.sbin/paxctl/paxctl.8:1.20 Fri Jun 23 10:27:12 2023 +++ src/usr.sbin/paxctl/paxctl.8 Wed Aug 16 22:22:02 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: paxctl.8,v 1.20 2023/06/23 10:27:12 uwe Exp $ +.\" $NetBSD: paxctl.8,v 1.21 2023/08/16 22:22:02 gutteridge Exp $ .\" .\" Copyright 2006 Elad Efrat .\" Copyright 2008 Christos Zoulas @@ -113,8 +113,8 @@ note sections to mark executables as hav This will be done using .Xr fileassoc 9 in the future so that we can control who does the marking and -not altering the binary file signature. +not alter the binary file signature. .Po Note this also means that -at present any flags set do not survive binary file upgrades -.Pc . +at present any flags set do not survive binary file upgrades. +.Pc
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: gutteridge Date: Wed Aug 16 22:22:02 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: paxctl.8: minor grammar/style corrections To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: uwe Date: Fri Jun 23 10:27:12 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: paxctl(8): brush up Tell the user how to list flags right away, not at the very end. Do not repeat "for the program" 6 times for each flag letter, it's a noise by itself already and the italics of .Ar program exacerbates it. Make the list of flags compact but manually add breaks between the pairs of enable/disable flags. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/paxctl/paxctl.8 diff -u src/usr.sbin/paxctl/paxctl.8:1.19 src/usr.sbin/paxctl/paxctl.8:1.20 --- src/usr.sbin/paxctl/paxctl.8:1.19 Fri Jun 23 10:12:33 2023 +++ src/usr.sbin/paxctl/paxctl.8 Fri Jun 23 10:27:12 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: paxctl.8,v 1.19 2023/06/23 10:12:33 uwe Exp $ +.\" $NetBSD: paxctl.8,v 1.20 2023/06/23 10:27:12 uwe Exp $ .\" .\" Copyright 2006 Elad Efrat .\" Copyright 2008 Christos Zoulas @@ -44,9 +44,17 @@ can be found in the .Xr security 7 manpage. .Pp +To view existing flags on a +.Ar program , +execute +.Nm +without any flags. +.Pp If .Fl 0 -option is specified, all PaX flags (including reserved bits) are cleared. +option is specified, all PaX flags +.Pq including reserved bits +are cleared. Otherwise, each flag can be prefixed either with a .Sq Cm + or a @@ -54,38 +62,27 @@ or a sign to add or remove the flag, respectively. .Pp The following flags are available: -.Bl -tag -width Fl +.Pp +.Bl -tag -width Ds -compact .It Cm a -Explicitly disable PaX ASLR (Address Space Layout Randomization) for -.Ar program . +Explicitly disable PaX ASLR (Address Space Layout Randomization). .It Cm A -Explicitly enable PaX ASLR for -.Ar program . +Explicitly enable PaX ASLR. +.Pp .It Cm g -Explicitly disable PaX Segvguard for -.Ar program . +Explicitly disable PaX Segvguard. .It Cm G -Explicitly enable PaX Segvguard for -.Ar program . +Explicitly enable PaX Segvguard. +.Pp .It Cm m Explicitly disable PaX MPROTECT .Po Xr mprotect 2 restrictions -.Pc -for -.Ar program . +.Pc . .It Cm M -Explicitly enable PaX MPROTECT -.Po Xr mprotect 2 -restrictions -.Pc -for -.Ar program . +Explicitly enable PaX MPROTECT. .El -.Pp -To view existing flags on a file, execute -.Nm -without any flags. +. .Sh SEE ALSO .Xr mprotect 2 , .Xr sysctl 3 ,
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: uwe Date: Fri Jun 23 10:27:12 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: paxctl(8): brush up Tell the user how to list flags right away, not at the very end. Do not repeat "for the program" 6 times for each flag letter, it's a noise by itself already and the italics of .Ar program exacerbates it. Make the list of flags compact but manually add breaks between the pairs of enable/disable flags. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: uwe Date: Fri Jun 23 10:12:33 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: paxctl(8): fix markup To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/paxctl/paxctl.8 diff -u src/usr.sbin/paxctl/paxctl.8:1.18 src/usr.sbin/paxctl/paxctl.8:1.19 --- src/usr.sbin/paxctl/paxctl.8:1.18 Fri Jun 23 06:32:27 2023 +++ src/usr.sbin/paxctl/paxctl.8 Fri Jun 23 10:12:33 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: paxctl.8,v 1.18 2023/06/23 06:32:27 wiz Exp $ +.\" $NetBSD: paxctl.8,v 1.19 2023/06/23 10:12:33 uwe Exp $ .\" .\" Copyright 2006 Elad Efrat .\" Copyright 2008 Christos Zoulas @@ -31,7 +31,7 @@ .Nd list and modify PaX flags associated with an ELF program .Sh SYNOPSIS .Nm -.Op Fl 0 | Cm flags +.Op Fl 0 | Ar flags .Ar program ... .Sh DESCRIPTION The @@ -48,33 +48,33 @@ If .Fl 0 option is specified, all PaX flags (including reserved bits) are cleared. Otherwise, each flag can be prefixed either with a -.Dq + +.Sq Cm + or a -.Dq - +.Sq Fl sign to add or remove the flag, respectively. .Pp The following flags are available: -.Bl -tag -width flag -.It a +.Bl -tag -width Fl +.It Cm a Explicitly disable PaX ASLR (Address Space Layout Randomization) for .Ar program . -.It A +.It Cm A Explicitly enable PaX ASLR for .Ar program . -.It g +.It Cm g Explicitly disable PaX Segvguard for .Ar program . -.It G +.It Cm G Explicitly enable PaX Segvguard for .Ar program . -.It m +.It Cm m Explicitly disable PaX MPROTECT .Po Xr mprotect 2 restrictions .Pc for .Ar program . -.It M +.It Cm M Explicitly enable PaX MPROTECT .Po Xr mprotect 2 restrictions @@ -112,11 +112,12 @@ The .Nm utility currently uses .Xr elf 5 -.Dq note -sections to mark executables as having PaX flags enabled. +note sections to mark executables as having PaX flags enabled. This will be done using .Xr fileassoc 9 in the future so that we can control who does the marking and not altering the binary file signature. -(Note this also means that -at present any flags set do not survive binary file upgrades.) +.Po +Note this also means that +at present any flags set do not survive binary file upgrades +.Pc .
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: uwe Date: Fri Jun 23 10:12:33 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: paxctl(8): fix markup To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: wiz Date: Fri Jun 23 06:32:28 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: Use Fl for options. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: wiz Date: Fri Jun 23 06:32:28 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 Log Message: Use Fl for options. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/paxctl/paxctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/paxctl/paxctl.8 diff -u src/usr.sbin/paxctl/paxctl.8:1.17 src/usr.sbin/paxctl/paxctl.8:1.18 --- src/usr.sbin/paxctl/paxctl.8:1.17 Fri Jun 23 01:56:21 2023 +++ src/usr.sbin/paxctl/paxctl.8 Fri Jun 23 06:32:27 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: paxctl.8,v 1.17 2023/06/23 01:56:21 rin Exp $ +.\" $NetBSD: paxctl.8,v 1.18 2023/06/23 06:32:27 wiz Exp $ .\" .\" Copyright 2006 Elad Efrat .\" Copyright 2008 Christos Zoulas @@ -31,7 +31,7 @@ .Nd list and modify PaX flags associated with an ELF program .Sh SYNOPSIS .Nm -.Op -0 | flags +.Op Fl 0 | Cm flags .Ar program ... .Sh DESCRIPTION The
CVS commit: src/usr.sbin/paxctl
Module Name:src
Committed By: rin
Date: Fri Jun 23 01:56:21 UTC 2023
Modified Files:
src/usr.sbin/paxctl: paxctl.8 paxctl.c
Log Message:
paxctl(8): Introduce -0 option to clear all PaX flag bits in ELF note.
Part of PR toolchain/52675
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/usr.sbin/paxctl/paxctl.8
cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/paxctl/paxctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/paxctl/paxctl.8
diff -u src/usr.sbin/paxctl/paxctl.8:1.16 src/usr.sbin/paxctl/paxctl.8:1.17
--- src/usr.sbin/paxctl/paxctl.8:1.16 Tue Nov 8 08:21:52 2016
+++ src/usr.sbin/paxctl/paxctl.8 Fri Jun 23 01:56:21 2023
@@ -1,4 +1,4 @@
-.\" $NetBSD: paxctl.8,v 1.16 2016/11/08 08:21:52 wiz Exp $
+.\" $NetBSD: paxctl.8,v 1.17 2023/06/23 01:56:21 rin Exp $
.\"
.\" Copyright 2006 Elad Efrat
.\" Copyright 2008 Christos Zoulas
@@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd November 7, 2016
+.Dd June 23, 2023
.Dt PAXCTL 8
.Os
.Sh NAME
@@ -31,7 +31,7 @@
.Nd list and modify PaX flags associated with an ELF program
.Sh SYNOPSIS
.Nm
-.Ar flags
+.Op -0 | flags
.Ar program ...
.Sh DESCRIPTION
The
@@ -44,7 +44,10 @@ can be found in the
.Xr security 7
manpage.
.Pp
-Each flag can be prefixed either with a
+If
+.Fl 0
+option is specified, all PaX flags (including reserved bits) are cleared.
+Otherwise, each flag can be prefixed either with a
.Dq +
or a
.Dq -
Index: src/usr.sbin/paxctl/paxctl.c
diff -u src/usr.sbin/paxctl/paxctl.c:1.12 src/usr.sbin/paxctl/paxctl.c:1.13
--- src/usr.sbin/paxctl/paxctl.c:1.12 Tue Oct 27 16:27:47 2009
+++ src/usr.sbin/paxctl/paxctl.c Fri Jun 23 01:56:21 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: paxctl.c,v 1.12 2009/10/27 16:27:47 christos Exp $ */
+/* $NetBSD: paxctl.c,v 1.13 2023/06/23 01:56:21 rin Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat
@@ -34,7 +34,7 @@
#include
#ifndef lint
#ifdef __RCSID
-__RCSID("$NetBSD: paxctl.c,v 1.12 2009/10/27 16:27:47 christos Exp $");
+__RCSID("$NetBSD: paxctl.c,v 1.13 2023/06/23 01:56:21 rin Exp $");
#endif
#endif /* not lint */
@@ -98,7 +98,8 @@ static const struct paxflag {
static void
usage(void)
{
- (void)fprintf(stderr, "Usage: %s [ <-|+> ] ...\n",
+ (void)fprintf(stderr,
+ "Usage: %s [ -0 | <-|+> ] ...\n",
#if HAVE_NBTOOL_CONFIG_H
"paxctl"
#else
@@ -165,7 +166,7 @@ pax_printflags(const char *name, int man
static int
process_one(const char *name, uint32_t add_flags, uint32_t del_flags,
-int list, int many)
+int clear, int list, int many)
{
union {
Elf32_Ehdr h32;
@@ -279,8 +280,12 @@ process_one(const char *name, uint32_t a
break;
}
- pax_tag.flags |= SWAP(add_flags);
- pax_tag.flags &= SWAP(~del_flags);
+ if (clear) {
+ pax_tag.flags = 0;
+ } else {
+ pax_tag.flags |= SWAP(add_flags);
+ pax_tag.flags &= SWAP(~del_flags);
+ }
if (!pax_flags_sane(SWAP(pax_tag.flags))) {
warnx("New flags 0x%x don't make sense",
@@ -315,7 +320,7 @@ int
main(int argc, char **argv)
{
char *opt;
- int i, list = 0, bad = 0, many, minus;
+ int i, clear = 0, list = 0, bad = 0, many, minus;
uint32_t add_flags = 0, del_flags = 0;
setprogname(argv[0]);
@@ -326,6 +331,11 @@ main(int argc, char **argv)
for (i = 1; i < argc; i++) {
opt = argv[i];
+ if (strcmp(opt, "-0") == 0) {
+ clear = 1;
+ continue;
+ }
+
if (*opt == '-' || *opt == '+') {
uint32_t t;
minus = 0;
@@ -361,15 +371,21 @@ main(int argc, char **argv)
if (i == argc)
usage();
- if (add_flags || del_flags) {
- if (list)
- usage();
- } else
+ switch ((add_flags != 0 || del_flags != 0) + clear) {
+ case 0:
list = 1;
+ break;
+ case 1:
+ break;
+ default:
+ usage();
+ }
many = i != argc - 1;
- for (; i < argc; i++)
- bad |= process_one(argv[i], add_flags, del_flags, list, many);
+ for (; i < argc; i++) {
+ bad |= process_one(argv[i], add_flags, del_flags,
+ clear, list, many);
+ }
return bad ? EXIT_FAILURE : 0;
}
CVS commit: src/usr.sbin/paxctl
Module Name:src Committed By: rin Date: Fri Jun 23 01:56:21 UTC 2023 Modified Files: src/usr.sbin/paxctl: paxctl.8 paxctl.c Log Message: paxctl(8): Introduce -0 option to clear all PaX flag bits in ELF note. Part of PR toolchain/52675 To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/usr.sbin/paxctl/paxctl.8 cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/paxctl/paxctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
