diff options
Diffstat (limited to 'html/revdep-pax.html')
| -rw-r--r-- | html/revdep-pax.html | 679 |
1 files changed, 679 insertions, 0 deletions
diff --git a/html/revdep-pax.html b/html/revdep-pax.html new file mode 100644 index 0000000..ee4e6d4 --- /dev/null +++ b/html/revdep-pax.html @@ -0,0 +1,679 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo revdep-pax introduction</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Gentoo revdep-pax introduction</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What's revdep-pax about?</option> +<option value="#doc_chap2">2. Using revdep-pax</option> +<option value="#doc_chap3">3. Listing PaX Flags and Capabilities</option> +<option value="#doc_chap4">4. Programming with ELF files</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>What's revdep-pax about?</p> +<p class="secthead"><a name="doc_chap1_sect1">A quick introduction to PaX markings.</a></p> +<p> +There are some programs which won't be able to run in an environment with all +the PaX features enabled, for example you may have a program which has so called +<span class="emphasis">text relocations</span> or you may have a language interpreter doing JIT code +compilation and requiring <span class="emphasis">RWX</span> mappings you may also have a program that +saves data including internal pointers into an mmaped file and which needs to be +restored in the same place no matter what. You could also be holding a security +competition and need to disable the execution restrictions and force it to +use fixed addresses on a particular program so it can be exploited doing a +simple nop sled based stack overflow to get to the next level. For taking into +account these issues binaries can be marked to force on or off some of the PaX +features. +</p> +<p> +Currently, the PaX features that can be lessened or enforced to allow programs +to run are: +</p> +<dl> + <dt><b>PAGEEXEC</b></dt> + <dd>Paging based execution restrictions. This is what other OSes know as + <span class="emphasis">NX</span>.</dd> + <dt><b>EMUTRAMP</b></dt> + <dd>Trampoline emulation. Required by for amongst other things code with + nested functions.</dd> + <dt><b>MPROTECT</b></dt> + <dd>Prevents the introduction of new executable code in the task. This is the + one you are more likely to need disabling with libraries generating JIT code. + </dd> + <dt><b>RANDMMAP</b></dt> + <dd>Randomizes the addresses where mappings are made unless the program + explicitly requests one (using the MAP_FIXED flag).</dd> + <dt><b>RANDEXEC</b></dt> + <dd>This flag is currently deprecated and was used to enforce random placement + of the executable part of the binary.</dd> + <dt><b>SEGMEXEC</b></dt> + <dd>This flag enables segmentation based execution protection. This feature is + not available on the amd64 architecture so in that architecture is disables by + default.</dd> +</dl> +<p> +There are various ways in which this advice to lessen the environment can be +provided to the system, amongst others Mandatory Access Control rules, extended +attributes and two kinds of markings on the binaries themselves, the legacy ones +which abuse an unused field in the ELF headers and the new ones which add a new +specific section to the ELF file with the markings. +</p> +<p> +All this markings though are only read in the executable and not in the +libraries linked by it to prevent some possible attacks (like libraries being +injected via LD_PRELOAD) and because it eases a lot the implementation since the +kernel shouldn't be aware of linking details. +</p> +<p> +This system has a problem: if we have a binary linking to a library which +requires, for example, trampoline emulation because it uses nested functions how +can we make sure the binary gets the propper markings? Yeah we could add PaX +marks to the library to state it needs trampoline emulation but still we haven't +fixed the issue since the kernel will only read the marks on the binary being +called. In order to solve this issue we have created <span class="code" dir="ltr">revdep-pax</span>. +</p> +<p class="secthead"><a name="doc_chap1_sect2">What's revdep-pax?</a></p> +<p> +<span class="code" dir="ltr">revdep-pax</span> is a tool that allows to check for differences in PaX markings +between elf objects linking to libraries (for example <span class="path" dir="ltr">/bin/bash</span>) +and the libraries themselves (for example <span class="path" dir="ltr">/lib64/libc.so.6</span>). +</p> +<p> +<span class="code" dir="ltr">revdep-pax</span> is able to do this in various ways, it can check for +differences <span class="emphasis">forward</span> from one binary to all the libraries it links and it +can also check for PaX marking differences <span class="emphasis">backwards</span> from one library to +all the binaries linking to it (which may include other libraries too). In a +similar way it is possible to have all the forward and reverse mappings in the +system checked to try finding issues. +</p> +<p> +<span class="code" dir="ltr">revdep-pax</span> is also able to propagate these markings both forward to the +libraries linked by an object and backwards to the objects linked by a library. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Using revdep-pax</p> +<p class="secthead"><a name="doc_chap2_sect1">Propagating PaX marks backwards from a library to objects that link at it +</a></p> +<p> +This is going to be probably the main way in which you are going to use this +utility. What it does is check all the libraries linked statically +The <span class="code" dir="ltr">scanelf</span> application is part of the <span class="code" dir="ltr">app-misc/pax-utils</span> package. +With this application you can print out information specific to the ELF +structure of a binary. The following table sums up the various options. +</p> +<table class="ntable"> +<tr> + <td class="infohead"><b>Option</b></td> + <td class="infohead"><b>Long Option</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">-p</td> + <td class="tableinfo">--path</td> + <td class="tableinfo">Scan all directories in PATH environment</td> +</tr> +<tr> + <td class="tableinfo">-l</td> + <td class="tableinfo">--ldpath</td> + <td class="tableinfo">Scan all directories in /etc/ld.so.conf</td> +</tr> +<tr> + <td class="tableinfo">-R</td> + <td class="tableinfo">--recursive</td> + <td class="tableinfo">Scan directories recursively</td> +</tr> +<tr> + <td class="tableinfo">-m</td> + <td class="tableinfo">--mount</td> + <td class="tableinfo">Don't recursively cross mount points</td> +</tr> +<tr> + <td class="tableinfo">-y</td> + <td class="tableinfo">--symlink</td> + <td class="tableinfo">Don't scan symlinks</td> +</tr> +<tr> + <td class="tableinfo">-A</td> + <td class="tableinfo">--archives</td> + <td class="tableinfo">Scan archives (.a files)</td> +</tr> +<tr> + <td class="tableinfo">-L</td> + <td class="tableinfo">--ldcache</td> + <td class="tableinfo">Utilize ld.so.cache information (use with -r/-n)</td> +</tr> +<tr> + <td class="tableinfo">-X</td> + <td class="tableinfo">--fix</td> + <td class="tableinfo">Try and 'fix' bad things (use with -r/-e)</td> +</tr> +<tr> + <td class="tableinfo">-z [arg]</td> + <td class="tableinfo">--setpax [arg]</td> + <td class="tableinfo">Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</td> +</tr> +<tr> + <td class="infohead"><b>Option</b></td> + <td class="infohead"><b>Long Option</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">-x</td> + <td class="tableinfo">--pax</td> + <td class="tableinfo">Print PaX markings</td> +</tr> +<tr> + <td class="tableinfo">-e</td> + <td class="tableinfo">--header</td> + <td class="tableinfo">Print GNU_STACK/PT_LOAD markings</td> +</tr> +<tr> + <td class="tableinfo">-t</td> + <td class="tableinfo">--textrel</td> + <td class="tableinfo">Print TEXTREL information</td> +</tr> +<tr> + <td class="tableinfo">-r</td> + <td class="tableinfo">--rpath</td> + <td class="tableinfo">Print RPATH information</td> +</tr> +<tr> + <td class="tableinfo">-n</td> + <td class="tableinfo">--needed</td> + <td class="tableinfo">Print NEEDED information</td> +</tr> +<tr> + <td class="tableinfo">-i</td> + <td class="tableinfo">--interp</td> + <td class="tableinfo">Print INTERP information</td> +</tr> +<tr> + <td class="tableinfo">-b</td> + <td class="tableinfo">--bind</td> + <td class="tableinfo">Print BIND information</td> +</tr> +<tr> + <td class="tableinfo">-S</td> + <td class="tableinfo">--soname</td> + <td class="tableinfo">Print SONAME information</td> +</tr> +<tr> + <td class="tableinfo">-s [arg]</td> + <td class="tableinfo">--symbol [arg]</td> + <td class="tableinfo">Find a specified symbol</td> +</tr> +<tr> + <td class="tableinfo">-k [arg]</td> + <td class="tableinfo">--section [arg]</td> + <td class="tableinfo">Find a specified section</td> +</tr> +<tr> + <td class="tableinfo">-N [arg]</td> + <td class="tableinfo">--lib [arg]</td> + <td class="tableinfo">Find a specified library</td> +</tr> +<tr> + <td class="tableinfo">-g</td> + <td class="tableinfo">--gmatch</td> + <td class="tableinfo">Use strncmp to match libraries. (use with -N)</td> +</tr> +<tr> + <td class="tableinfo">-T</td> + <td class="tableinfo">--textrels</td> + <td class="tableinfo">Locate cause of TEXTREL</td> +</tr> +<tr> + <td class="tableinfo">-E [arg]</td> + <td class="tableinfo">--etype [arg]</td> + <td class="tableinfo">Print only ELF files matching etype ET_DYN,ET_EXEC ...</td> +</tr> +<tr> + <td class="tableinfo">-M [arg]</td> + <td class="tableinfo">--bits [arg]</td> + <td class="tableinfo">Print only ELF files matching numeric bits</td> +</tr> +<tr> + <td class="tableinfo">-a</td> + <td class="tableinfo">--all</td> + <td class="tableinfo">Print all scanned info (-x -e -t -r -b)</td> +</tr> +<tr> + <td class="infohead"><b>Option</b></td> + <td class="infohead"><b>Long Option</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">-q</td> + <td class="tableinfo">--quiet</td> + <td class="tableinfo">Only output 'bad' things</td> +</tr> +<tr> + <td class="tableinfo">-v</td> + <td class="tableinfo">--verbose</td> + <td class="tableinfo">Be verbose (can be specified more than once)</td> +</tr> +<tr> + <td class="tableinfo">-F [arg]</td> + <td class="tableinfo">--format [arg]</td> + <td class="tableinfo">Use specified format for output</td> +</tr> +<tr> + <td class="tableinfo">-f [arg]</td> + <td class="tableinfo">--from [arg]</td> + <td class="tableinfo">Read input stream from a filename</td> +</tr> +<tr> + <td class="tableinfo">-o [arg]</td> + <td class="tableinfo">--file [arg]</td> + <td class="tableinfo">Write output stream to a filename</td> +</tr> +<tr> + <td class="tableinfo">-B</td> + <td class="tableinfo">--nobanner</td> + <td class="tableinfo">Don't display the header</td> +</tr> +<tr> + <td class="tableinfo">-h</td> + <td class="tableinfo">--help</td> + <td class="tableinfo">Print this help and exit</td> +</tr> +<tr> + <td class="tableinfo">-V</td> + <td class="tableinfo">--version</td> + <td class="tableinfo">Print version and exit</td> +</tr> +</table> +<p> +The format specifiers for the <span class="code" dir="ltr">-F</span> option are given in the following table. +Prefix each specifier with <span class="code" dir="ltr">%</span> (verbose) or <span class="code" dir="ltr">#</span> (silent) accordingly. +</p> +<table class="ntable"> +<tr> + <td class="infohead"><b>Specifier</b></td> + <td class="infohead"><b>Full Name</b></td> + <td class="infohead"><b>Specifier</b></td> + <td class="infohead"><b>Full Name</b></td> +</tr> +<tr> + <td class="tableinfo">F</td> + <td class="tableinfo">Filename</td> + <td class="tableinfo">x</td> + <td class="tableinfo">PaX Flags</td> +</tr> +<tr> + <td class="tableinfo">e</td> + <td class="tableinfo">STACK/RELRO</td> + <td class="tableinfo">t</td> + <td class="tableinfo">TEXTREL</td> +</tr> +<tr> + <td class="tableinfo">r</td> + <td class="tableinfo">RPATH</td> + <td class="tableinfo">n</td> + <td class="tableinfo">NEEDED</td> +</tr> +<tr> + <td class="tableinfo">i</td> + <td class="tableinfo">INTERP</td> + <td class="tableinfo">b</td> + <td class="tableinfo">BIND</td> +</tr> +<tr> + <td class="tableinfo">s</td> + <td class="tableinfo">Symbol</td> + <td class="tableinfo">N</td> + <td class="tableinfo">Library</td> +</tr> +<tr> + <td class="tableinfo">o</td> + <td class="tableinfo">Type</td> + <td class="tableinfo">p</td> + <td class="tableinfo">File name</td> +</tr> +<tr> + <td class="tableinfo">f</td> + <td class="tableinfo">Base file name</td> + <td class="tableinfo">k</td> + <td class="tableinfo">Section</td> +</tr> +<tr> + <td class="tableinfo">a</td> + <td class="tableinfo">ARCH/e_machine</td> + <td class="tableinfo"></td> + <td class="tableinfo"></td> +</tr> +</table> +<p class="secthead"><a name="doc_chap2_sect2">Using scanelf for Text Relocations</a></p> +<p> +As an example, we will use <span class="code" dir="ltr">scanelf</span> to find binaries containing text +relocations. +</p> +<p> +A relocation is an operation that rewrites an address in a loaded segment. Such +an address rewrite can happen when a segment has references to a shared object +and that shared object is loaded in memory. In this case, the references are +substituted with the real address values. Similar events can occur inside the +shared object itself. +</p> +<p> +A text relocation is a relocation in the text segment. Since text segments +contain executable code, system administrators might prefer not to have these +segments writable. This is perfectly possible, but since text relocations +actually write in the text segment, it is not always feasible. +</p> +<p> +If you want to eliminate text relocations, you will need to make sure +that the application and shared object is built with <span class="emphasis">Position Independent +Code</span> (PIC), making references obsolete. This not only increases security, +but also increases the performance in case of shared objects (allowing writes in +the text segment requires a swap space reservation and a private copy of the +shared object for each application that uses it). +</p> +<p> +The following example will search your library paths recursively, without +leaving the mounted file system and ignoring symbolic links, for any ELF binary +containing a text relocation: +</p> +<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Scanning the system for text relocation binaries</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -lqtmyR</span> +</pre></td></tr> +</table> +<p> +If you want to scan your entire system for <span class="emphasis">any</span> file containing text +relocations: +</p> +<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Scanning the entire system for text relocation files</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -qtmyR /</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap2_sect3">Using scanelf for Specific Header</a></p> +<p> +The scanelf util can be used to quickly identify files that contain a +given section header using the -k .section option. +</p> +<p> +In this example we are looking for all files in /usr/lib/debug +recursively using a format modifier with quiet mode enabled that have been +stripped. A stripped elf will lack a .symtab entry, so we use the '!' +to invert the matching logic. +</p> +<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Scanning for stripped or non stripped executables</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap2_sect4">Using scanelf for Specific Segment Markings</a></p> +<p> +Each segment has specific flags assigned to it in the Program Header of the +binary. One of those flags is the type of the segment. Interesting values are +PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the +segment contains dynamic linking information), PT_INTERP (the segment +contains the name of the program interpreter), PT_GNU_STACK (a GNU extension +for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS +(a PaX extension for the ELF format, used by the security-minded +<a href="http://pax.grsecurity.net/">PaX Project</a>. +</p> +<p> +If we want to scan all executables in the current working directory, PATH +environment and library paths and report those who have a writable and +executable PT_LOAD or PT_GNU_STACK marking, you could use the following command: +</p> +<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -lpqe .</span> +</pre></td></tr> +</table> +<p class="secthead"><a name="doc_chap2_sect5">Using scanelf's Format Modifier Handler</a></p> +<p> +A useful feature of the <span class="code" dir="ltr">scanelf</span> utility is the format modifier handler. +With this option you can control the output of <span class="code" dir="ltr">scanelf</span>, thereby +simplifying parsing the output with scripts. +</p> +<p> +As an example, we will use <span class="code" dir="ltr">scanelf</span> to print the file names that contain +text relocations: +</p> +<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Example of the scanelf format modifier handler</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +# <span class="code-input">scanelf -l -p -R -q -F "%F #t"</span> +</pre></td></tr> +</table> +<p class="chaphead"><a name="pspax"></a><a name="doc_chap3"></a><span class="chapnum">3. + </span>Listing PaX Flags and Capabilities</p> +<p class="secthead"><a name="doc_chap3_sect1">About PaX</a></p> +<p> +<a href="http://pax.grsecurity.net">PaX</a> is a project hosted by the <a href="http://www.grsecurity.net">grsecurity</a> project. Quoting the <a href="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</a>, its main +goal is "to research various defense mechanisms against the exploitation of +software bugs that give an attacker arbitrary read/write access to the +attacked task's address space. This class of bugs contains among others +various forms of buffer overflow bugs (be they stack or heap based), user +supplied format string bugs, etc." +</p> +<p> +To be able to benefit from these defense mechanisms, you need to run a Linux +kernel patched with the latest PaX code. The <a href="http://hardened.gentoo.org">Hardened Gentoo</a> project supports PaX and +its parent project, grsecurity. The supported kernel package is +<span class="code" dir="ltr">sys-kernel/hardened-sources</span>. +</p> +<p> +The Gentoo/Hardened project has a <a href="pax-quickstart.html">Gentoo PaX Quickstart Guide</a> +for your reading pleasure. +</p> +<p class="secthead"><a name="doc_chap3_sect2">Flags and Capabilities</a></p> +<p> +If your toolchain supports it, your binaries can have additional PaX flags in +their Program Header. The following flags are supported: +</p> +<table class="ntable"> +<tr> + <td class="infohead"><b>Flag</b></td> + <td class="infohead"><b>Name</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">P</td> + <td class="tableinfo">PAGEEXEC</td> + <td class="tableinfo"> + Refuse code execution on writable pages based on the NX bit + (or emulated NX bit) + </td> +</tr> +<tr> + <td class="tableinfo">S</td> + <td class="tableinfo">SEGMEXEC</td> + <td class="tableinfo"> + Refuse code execution on writable pages based on the + segmentation logic of IA-32 + </td> +</tr> +<tr> + <td class="tableinfo">E</td> + <td class="tableinfo">EMUTRAMP</td> + <td class="tableinfo"> + Allow known code execution sequences on writable pages that + should not cause any harm + </td> +</tr> +<tr> + <td class="tableinfo">M</td> + <td class="tableinfo">MPROTECT</td> + <td class="tableinfo"> + Prevent the creation of new executable code to the process + address space + </td> +</tr> +<tr> + <td class="tableinfo">R</td> + <td class="tableinfo">RANDMMAP</td> + <td class="tableinfo"> + Randomize the stack base to prevent certain stack overflow + attacks from being successful + </td> +</tr> +<tr> + <td class="tableinfo">X</td> + <td class="tableinfo">RANDEXEC</td> + <td class="tableinfo"> + Randomize the address where the application maps to prevent + certain attacks from being exploitable + </td> +</tr> +</table> +<p> +The default Linux kernel also supports certain capabilities, grouped in the +so-called <span class="emphasis">POSIX.1e Capabilities</span>. You can find a listing of those +capabilities in our <a href="capabilities.html">POSIX Capabilities</a> document. +</p> +<p class="secthead"><a name="doc_chap3_sect3">Using pspax</a></p> +<p> +The <span class="code" dir="ltr">pspax</span> application, part of the <span class="code" dir="ltr">pax-utils</span> package, displays the +run-time capabilities of all programs you have permission for. On Linux kernels +with additional support for extended attributes (such as SELinux) those +attributes are shown as well. +</p> +<p> +When ran, <span class="code" dir="ltr">pspax</span> shows the following information: +</p> +<table class="ntable"> +<tr> + <td class="infohead"><b>Column</b></td> + <td class="infohead"><b>Description</b></td> +</tr> +<tr> + <td class="tableinfo">USER</td> + <td class="tableinfo">Owner of the process</td> +</tr> +<tr> + <td class="tableinfo">PID</td> + <td class="tableinfo">Process id</td> +</tr> +<tr> + <td class="tableinfo">PAX</td> + <td class="tableinfo">Run-time PaX flags (if applicable)</td> +</tr> +<tr> + <td class="tableinfo">MAPS</td> + <td class="tableinfo">Write/eXecute markings for the process map</td> +</tr> +<tr> + <td class="tableinfo">ELF_TYPE</td> + <td class="tableinfo">Process executable type: ET_DYN or ET_EXEC</td> +</tr> +<tr> + <td class="tableinfo">NAME</td> + <td class="tableinfo">Name of the process</td> +</tr> +<tr> + <td class="tableinfo">CAPS</td> + <td class="tableinfo">POSIX.1e capabilities (see note)</td> +</tr> +<tr> + <td class="tableinfo">ATTR</td> + <td class="tableinfo">Extended attributes (if applicable)</td> +</tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> +<span class="code" dir="ltr">pspax</span> only displays these capabilities when it is linked with +the external capabilities library. This requires you to build <span class="code" dir="ltr">pax-utils</span> +with -DWANT_SYSCAP. +</p></td></tr></table> +<p> +By default, <span class="code" dir="ltr">pspax</span> does not show any kernel processes. If you want those +to be taken as well, use the <span class="code" dir="ltr">-a</span> switch. +</p> +<p class="chaphead"><a name="dumpelf"></a><a name="doc_chap4"></a><span class="chapnum">4. + </span>Programming with ELF files</p> +<p class="secthead"><a name="doc_chap4_sect1">The dumpelf Utility</a></p> +<p> +With the <span class="code" dir="ltr">dumpelf</span> utility you can convert a ELF file into human readable C +code that defines a structure with the same image as the original ELF file. +</p> +<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: dumpelf example</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +$ <span class="code-input">dumpelf /bin/hostname</span> +#include <elf.h> + +<span class="code-comment">/* + * ELF dump of '/bin/hostname' + * 10276 (0x2824) bytes + */</span> + +struct { + Elf32_Ehdr ehdr; + Elf32_Phdr phdrs[8]; + Elf32_Shdr shdrs[26]; +} dumpedelf_0 = { + +.ehdr = { +<span class="code-comment">(... Output stripped ...)</span> +</pre></td></tr> +</table> +<br><p class="copyright"> + The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + + <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="klondike?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Page updated February 19, 2012</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +This guide provides an introduction to revdep-pax and how to use it to propagate +the PaC markings caused by libraries requiring them, for example, libraries +requiring RWX memory in order to process JIT code. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:klondike@gentoo.org" class="altlink"><b>Francisco Blas Izquierdo Riera</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> |