From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-commits+bounces-445468-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1SEjWg-0002ZF-JI
	for garchives@archives.gentoo.org; Mon, 02 Apr 2012 15:50:39 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0037DE08A5;
	Mon,  2 Apr 2012 15:50:26 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id AAF52E08A5
	for <gentoo-commits@lists.gentoo.org>; Mon,  2 Apr 2012 15:50:25 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 8E4CC1B4008
	for <gentoo-commits@lists.gentoo.org>; Mon,  2 Apr 2012 15:50:24 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 48F67E5403
	for <gentoo-commits@lists.gentoo.org>; Mon,  2 Apr 2012 15:50:23 +0000 (UTC)
From: "Francisco Blas Izquierdo Riera" <klondike@xiscosoft.es>
To: gentoo-commits@lists.gentoo.org
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Francisco Blas Izquierdo Riera" <klondike@xiscosoft.es>
Message-ID: <1333381749.036119a286cf69f29a0aad81ee98d5f1128cdf1f.klondike@gentoo>
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: xml/revdep-pax.xml
X-VCS-Directories: xml/
X-VCS-Committer: klondike
X-VCS-Committer-Name: Francisco Blas Izquierdo Riera
X-VCS-Revision: 036119a286cf69f29a0aad81ee98d5f1128cdf1f
X-VCS-Branch: master
Date: Mon,  2 Apr 2012 15:50:23 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: c632f8c0-82b3-4c26-8375-a9bce9453b5a
X-Archives-Hash: 6e14c7d27be0dfeaaa791c0d089394d3

commit:     036119a286cf69f29a0aad81ee98d5f1128cdf1f
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Mon Apr  2 15:49:09 2012 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT>=
 es>
CommitDate: Mon Apr  2 15:49:09 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs=
.git;a=3Dcommit;h=3D036119a2

WIP on the revdep-pax guide

---
 xml/revdep-pax.xml |  740 ++++++++++++++++++++++++++++++++++++++++++++++=
++++++
 1 files changed, 740 insertions(+), 0 deletions(-)

diff --git a/xml/revdep-pax.xml b/xml/revdep-pax.xml
new file mode 100644
index 0000000..ba9f822
--- /dev/null
+++ b/xml/revdep-pax.xml
@@ -0,0 +1,740 @@
+<?xml version=3D'1.0' encoding=3D"UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header: $ -->
+
+<guide>
+<title>Gentoo revdep-pax introduction</title>
+
+<author title=3D"Author">
+  <mail link=3D"klondike"/>
+</author>
+
+<abstract>
+This guide provides an introduction to revdep-pax and how to use it to p=
ropagate
+the PaC markings caused by libraries requiring them, for example, librar=
ies
+requiring RWX memory in order to process JIT code.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license=
 -->
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
+<license/>
+
+<version>1</version>
+<date>2012-02-19</date>
+
+<chapter>
+<title>What's <c>revdep-pax</c> about?</title>
+
+<p by=3D"Geroge Orwell">
+Since the early days of PaX it was known that all programs were equal al=
though
+some were more equal than others and needed an environment with less
+restrictions in order to be able to run. Thus, in order to have a secure=
 way of
+allowing system administrators and users telling the system which binari=
es
+needed this lessened environment the PaX marks were created.
+</p>
+
+<section>
+<title>A quick introduction to PaX markings.</title>
+<body>
+
+<p>
+There are some programs which won't be able to run in an environment wit=
h all
+the PaX features enabled, for example you may have a program which has s=
o called
+<e>text relocations</e> or you may have a language interpreter doing JIT=
 code
+compilation and requiring <e>RWX</e> mappings you may also have a progra=
m that
+saves data including internal pointers into an mmaped file and which nee=
ds to be
+restored in the same place no matter what. You could also be holding a s=
ecurity
+competition and need to disable the execution restrictions and force it =
to
+use fixed addresses on a particular program so it can be exploited doing=
 a
+simple nop sled based stack overflow to get to the next level. For takin=
g into
+account these issues binaries can be marked to force on or off some of t=
he PaX
+features.
+</p>
+
+<p>
+Currently, the PaX features that can be lessened or enforced to allow pr=
ograms
+to run are:
+</p>
+
+<dl>
+  <dt><b>PAGEEXEC</b></dt>
+  <dd>Paging based execution restrictions. This is what other OSes know =
as
+  <e>NX</e>.</dd>
+  <dt><b>EMUTRAMP</b></dt>
+  <dd>Trampoline emulation. Required by for amongst other things code wi=
th
+  nested functions.</dd>
+  <dt><b>MPROTECT</b></dt>
+  <dd>Prevents the introduction of new executable code in the task. This=
 is the
+  one you are more likely to need disabling with libraries generating JI=
T code.
+  </dd>
+  <dt><b>RANDMMAP</b></dt>
+  <dd>Randomizes the addresses where mappings are made unless the progra=
m
+  explicitly requests one (using the MAP_FIXED flag).</dd>
+  <dt><b>RANDEXEC</b></dt>
+  <dd>This flag is currently deprecated and was used to enforce random p=
lacement
+  of the executable part of the binary.</dd>
+  <dt><b>SEGMEXEC</b></dt>
+  <dd>This flag enables segmentation based execution protection. This fe=
ature is
+  not available on the amd64 architecture so in that architecture is dis=
ables by
+  default.</dd>
+</dl>
+
+<p>
+There are various ways in which this advice to lessen the environment ca=
n be
+provided to the system, amongst others Mandatory Access Control rules, e=
xtended
+attributes and two kinds of markings on the binaries themselves, the leg=
acy ones
+which abuse an unused field in the ELF headers and the new ones which ad=
d a new
+specific section to the ELF file with the markings.
+</p>
+
+<p>
+All this markings though are only read in the executable and not in the
+libraries linked by it to prevent some possible attacks (like libraries =
being
+injected via LD_PRELOAD) and because it eases a lot the implementation s=
ince the
+kernel shouldn't be aware of linking details.
+</p>
+
+<p>
+This system has a problem: if we have a binary linking to a library whic=
h
+requires, for example, trampoline emulation because it uses nested funct=
ions how
+can we make sure the binary gets the propper markings? Yeah we could add=
 PaX
+marks to the library to state it needs trampoline emulation but still we=
 haven't
+fixed the issue since the kernel will only read the marks on the binary =
being
+called. In order to solve this issue we have created <c>revdep-pax</c>.
+</p>
+
+</body>
+</section>
+<section>
+<title>What's <c>revdep-pax</c>?</title>
+<body>
+
+<p>
+<c>revdep-pax</c> is a tool that allows to check for differences in PaX =
markings
+between elf objects linking to libraries (for example <path>/bin/bash</p=
ath>)
+and the libraries themselves (for example <path>/lib64/libc.so.6</path>)=
.
+</p>
+
+<p>
+<c>revdep-pax</c> is able to do this in various ways, it can check for
+differences <e>forward</e> from one binary to all the libraries it links=
 and it
+can also check for PaX marking differences <e>backwards</e> from one lib=
rary to
+all the binaries linking to it (which may include other libraries too). =
In a
+similar way it is possible to have all the forward and reverse mappings =
in the
+system checked to try finding issues.
+</p>
+
+<p>
+<c>revdep-pax</c> is also able to propagate these markings both forward =
to the
+libraries linked by an object and backwards to the objects linked by a l=
ibrary.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Using <c>revdep-pax</c></title>
+
+<p by=3D"The Emperor">
+In order to witness the firepower of this fully ARMED and OPERATIONAL to=
ol
+you'll first need to learn how to use it, once you are done, you'll be
+able to fire at will.
+</p>
+
+<section>
+<title>Propagating PaX marks backwards from a library to objects that li=
nk at it
+</title>
+<body>
+
+<p>
+This is going to be probably the main way in which you are going to use =
this
+utility. What it does is check all the libraries linked statically=20
+The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> =
package.
+With this application you can print out information specific to the ELF
+structure of a binary. The following table sums up the various options.
+</p>
+
+<table>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-p</ti>
+  <ti>--path</ti>
+  <ti>Scan all directories in PATH environment</ti>
+</tr>
+<tr>
+  <ti>-l</ti>
+  <ti>--ldpath</ti>
+  <ti>Scan all directories in /etc/ld.so.conf</ti>
+</tr>
+<tr>
+  <ti>-R</ti>
+  <ti>--recursive</ti>
+  <ti>Scan directories recursively</ti>
+</tr>
+<tr>
+  <ti>-m</ti>
+  <ti>--mount</ti>
+  <ti>Don't recursively cross mount points</ti>
+</tr>
+<tr>
+  <ti>-y</ti>
+  <ti>--symlink</ti>
+  <ti>Don't scan symlinks</ti>
+</tr>
+<tr>
+  <ti>-A</ti>
+  <ti>--archives</ti>
+  <ti>Scan archives (.a files)</ti>
+</tr>
+<tr>
+  <ti>-L</ti>
+  <ti>--ldcache</ti>
+  <ti>Utilize ld.so.cache information (use with -r/-n)</ti>
+</tr>
+<tr>
+  <ti>-X</ti>
+  <ti>--fix</ti>
+  <ti>Try and 'fix' bad things (use with -r/-e)</ti>
+</tr>
+<tr>
+  <ti>-z [arg]</ti>
+  <ti>--setpax [arg]</ti>
+  <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti>
+</tr>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-x</ti>
+  <ti>--pax</ti>
+  <ti>Print PaX markings</ti>
+</tr>
+<tr>
+  <ti>-e</ti>
+  <ti>--header</ti>
+  <ti>Print GNU_STACK/PT_LOAD markings</ti>
+</tr>
+<tr>
+  <ti>-t</ti>
+  <ti>--textrel</ti>
+  <ti>Print TEXTREL information</ti>
+</tr>
+<tr>
+  <ti>-r</ti>
+  <ti>--rpath</ti>
+  <ti>Print RPATH information</ti>
+</tr>
+<tr>
+  <ti>-n</ti>
+  <ti>--needed</ti>
+  <ti>Print NEEDED information</ti>
+</tr>
+<tr>
+  <ti>-i</ti>
+  <ti>--interp</ti>
+  <ti>Print INTERP information</ti>
+</tr>
+<tr>
+  <ti>-b</ti>
+  <ti>--bind</ti>
+  <ti>Print BIND information</ti>
+</tr>
+<tr>
+  <ti>-S</ti>
+  <ti>--soname</ti>
+  <ti>Print SONAME information</ti>
+</tr>
+<tr>
+  <ti>-s [arg]</ti>
+  <ti>--symbol [arg]</ti>
+  <ti>Find a specified symbol</ti>
+</tr>
+<tr>
+  <ti>-k [arg]</ti>
+  <ti>--section [arg]</ti>
+  <ti>Find a specified section</ti>
+</tr>
+<tr>
+  <ti>-N [arg]</ti>
+  <ti>--lib [arg]</ti>
+  <ti>Find a specified library</ti>
+</tr>
+<tr>
+  <ti>-g</ti>
+  <ti>--gmatch</ti>
+  <ti>Use strncmp to match libraries. (use with -N)</ti>
+</tr>
+<tr>
+  <ti>-T</ti>
+  <ti>--textrels</ti>
+  <ti>Locate cause of TEXTREL</ti>
+</tr>
+<tr>
+  <ti>-E [arg]</ti>
+  <ti>--etype [arg]</ti>
+  <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti>
+</tr>
+<tr>
+  <ti>-M [arg]</ti>
+  <ti>--bits [arg]</ti>
+  <ti>Print only ELF files matching numeric bits</ti>
+</tr>
+<tr>
+  <ti>-a</ti>
+  <ti>--all</ti>
+  <ti>Print all scanned info (-x -e -t -r -b)</ti>
+</tr>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-q</ti>
+  <ti>--quiet</ti>
+  <ti>Only output 'bad' things</ti>
+</tr>
+<tr>
+  <ti>-v</ti>
+  <ti>--verbose</ti>
+  <ti>Be verbose (can be specified more than once)</ti>
+</tr>
+<tr>
+  <ti>-F [arg]</ti>
+  <ti>--format [arg]</ti>
+  <ti>Use specified format for output</ti>
+</tr>
+<tr>
+  <ti>-f [arg]</ti>
+  <ti>--from [arg]</ti>
+  <ti>Read input stream from a filename</ti>
+</tr>
+<tr>
+  <ti>-o [arg]</ti>
+  <ti>--file [arg]</ti>
+  <ti>Write output stream to a filename</ti>
+</tr>
+<tr>
+  <ti>-B</ti>
+  <ti>--nobanner</ti>
+  <ti>Don't display the header</ti>
+</tr>
+<tr>
+  <ti>-h</ti>
+  <ti>--help</ti>
+  <ti>Print this help and exit</ti>
+</tr>
+<tr>
+  <ti>-V</ti>
+  <ti>--version</ti>
+  <ti>Print version and exit</ti>
+</tr>
+</table>
+
+<p>
+The format specifiers for the <c>-F</c> option are given in the followin=
g table.
+Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accor=
dingly.
+</p>
+
+<table>
+<tr>
+  <th>Specifier</th>
+  <th>Full Name</th>
+  <th>Specifier</th>
+  <th>Full Name</th>
+</tr>
+<tr>
+  <ti>F</ti>
+  <ti>Filename</ti>
+  <ti>x</ti>
+  <ti>PaX Flags</ti>
+</tr>
+<tr>
+  <ti>e</ti>
+  <ti>STACK/RELRO</ti>
+  <ti>t</ti>
+  <ti>TEXTREL</ti>
+</tr>
+<tr>
+  <ti>r</ti>
+  <ti>RPATH</ti>
+  <ti>n</ti>
+  <ti>NEEDED</ti>
+</tr>
+<tr>
+  <ti>i</ti>
+  <ti>INTERP</ti>
+  <ti>b</ti>
+  <ti>BIND</ti>
+</tr>
+<tr>
+  <ti>s</ti>
+  <ti>Symbol</ti>
+  <ti>N</ti>
+  <ti>Library</ti>
+</tr>
+<tr>
+  <ti>o</ti>
+  <ti>Type</ti>
+  <ti>p</ti>
+  <ti>File name</ti>
+</tr>
+<tr>
+  <ti>f</ti>
+  <ti>Base file name</ti>
+  <ti>k</ti>
+  <ti>Section</ti>
+</tr>
+<tr>
+  <ti>a</ti>
+  <ti>ARCH/e_machine</ti>
+  <ti>&nbsp;</ti>
+  <ti>&nbsp;</ti>
+</tr>
+</table>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Text Relocations</title>
+<body>
+
+<p>
+As an example, we will use <c>scanelf</c> to find binaries containing te=
xt
+relocations.
+</p>
+
+<p>
+A relocation is an operation that rewrites an address in a loaded segmen=
t. Such
+an address rewrite can happen when a segment has references to a shared =
object
+and that shared object is loaded in memory. In this case, the references=
 are
+substituted with the real address values. Similar events can occur insid=
e the=20
+shared object itself.
+</p>
+
+<p>
+A text relocation is a relocation in the text segment. Since text segmen=
ts
+contain executable code, system administrators might prefer not to have =
these
+segments writable. This is perfectly possible, but since text relocation=
s
+actually write in the text segment, it is not always feasible.=20
+</p>
+
+<p>
+If you want to eliminate text relocations, you will need to make sure
+that the application and shared object is built with <e>Position Indepen=
dent
+Code</e> (PIC), making references obsolete. This not only increases secu=
rity,
+but also increases the performance in case of shared objects (allowing w=
rites in
+the text segment requires a swap space reservation and a private copy of=
 the
+shared object for each application that uses it).
+</p>
+
+<p>
+The following example will search your library paths recursively, withou=
t
+leaving the mounted file system and ignoring symbolic links, for any ELF=
 binary
+containing a text relocation:
+</p>
+
+<pre caption=3D"Scanning the system for text relocation binaries">
+# <i>scanelf -lqtmyR</i>
+</pre>
+
+<p>
+If you want to scan your entire system for <e>any</e> file containing te=
xt
+relocations:
+</p>
+
+<pre caption=3D"Scanning the entire system for text relocation files">
+# <i>scanelf -qtmyR /</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Specific Header</title>
+<body>
+
+<p>
+The scanelf util can be used to quickly identify files that contain a=20
+given section header using the -k .section option.
+</p>
+
+<p>
+In this example we are looking for all files in /usr/lib/debug=20
+recursively using a format modifier with quiet mode enabled that have be=
en=20
+stripped. A stripped elf will lack a .symtab entry, so we use the '!'=20
+to invert the matching logic.
+</p>
+
+<pre caption=3D"Scanning for stripped or non stripped executables">
+# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Specific Segment Markings</title>
+<body>
+
+<p>
+Each segment has specific flags assigned to it in the Program Header of =
the
+binary. One of those flags is the type of the segment. Interesting value=
s are
+PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (th=
e
+segment contains dynamic linking information), PT_INTERP (the segment=20
+contains the name of the program interpreter), PT_GNU_STACK (a GNU exten=
sion
+for the ELF format, used by some stack protection mechanisms), and PT_PA=
X_FLAGS
+(a PaX extension for the ELF format, used by the security-minded=20
+<uri link=3D"http://pax.grsecurity.net/">PaX Project</uri>.
+</p>
+
+<p>
+If we want to scan all executables in the current working directory, PAT=
H
+environment and library paths and report those who have a writable and
+executable PT_LOAD or PT_GNU_STACK marking, you could use the following =
command:
+</p>
+
+<pre caption=3D"Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_=
STACK">
+# <i>scanelf -lpqe .</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf's Format Modifier Handler</title>
+<body>
+
+<p>
+A useful feature of the <c>scanelf</c> utility is the format modifier ha=
ndler. =20
+With this option you can control the output of <c>scanelf</c>, thereby=20
+simplifying parsing the output with scripts.
+</p>
+
+<p>
+As an example, we will use <c>scanelf</c> to print the file names that c=
ontain
+text relocations:
+</p>
+
+<pre caption=3D"Example of the scanelf format modifier handler">
+# <i>scanelf -l -p -R -q -F "%F #t"</i>
+</pre>
+
+</body>
+</section>
+</chapter>
+
+<chapter id=3D"pspax">
+<title>Listing PaX Flags and Capabilities</title>
+<section>
+<title>About PaX</title>
+<body>
+
+<p>
+<uri link=3D"http://pax.grsecurity.net">PaX</uri> is a project hosted by=
 the <uri
+link=3D"http://www.grsecurity.net">grsecurity</uri> project. Quoting the=
 <uri
+link=3D"http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>,=
 its main=20
+goal is "to research various defense mechanisms against the exploitation=
 of=20
+software bugs that give an attacker arbitrary read/write access to the=20
+attacked task's address space. This class of bugs contains among others=20
+various forms of buffer overflow bugs (be they stack or heap based), use=
r
+supplied format string bugs, etc."
+</p>
+
+<p>
+To be able to benefit from these defense mechanisms, you need to run a L=
inux
+kernel patched with the latest PaX code. The <uri
+link=3D"http://hardened.gentoo.org">Hardened Gentoo</uri> project suppor=
ts PaX and
+its parent project, grsecurity. The supported kernel package is
+<c>sys-kernel/hardened-sources</c>.
+</p>
+
+<p>
+The Gentoo/Hardened project has a <uri
+link=3D"/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guid=
e</uri>
+for your reading pleasure.
+</p>
+
+</body>
+</section>
+<section>
+<title>Flags and Capabilities</title>
+<body>
+
+<p>
+If your toolchain supports it, your binaries can have additional PaX fla=
gs in
+their Program Header. The following flags are supported:
+</p>
+
+<table>
+<tr>
+  <th>Flag</th>
+  <th>Name</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>P</ti>
+  <ti>PAGEEXEC</ti>
+  <ti>
+    Refuse code execution on writable pages based on the NX bit
+    (or emulated NX bit)
+  </ti>
+</tr>
+<tr>
+  <ti>S</ti>
+  <ti>SEGMEXEC</ti>
+  <ti>
+    Refuse code execution on writable pages based on the
+    segmentation logic of IA-32
+  </ti>
+</tr>
+<tr>
+  <ti>E</ti>
+  <ti>EMUTRAMP</ti>
+  <ti>
+    Allow known code execution sequences on writable pages that
+    should not cause any harm
+  </ti>
+</tr>
+<tr>
+  <ti>M</ti>
+  <ti>MPROTECT</ti>
+  <ti>
+    Prevent the creation of new executable code to the process
+    address space
+  </ti>
+</tr>
+<tr>
+  <ti>R</ti>
+  <ti>RANDMMAP</ti>
+  <ti>
+    Randomize the stack base to prevent certain stack overflow
+    attacks from being successful
+  </ti>
+</tr>
+<tr>
+  <ti>X</ti>
+  <ti>RANDEXEC</ti>
+  <ti>
+    Randomize the address where the application maps to prevent
+    certain attacks from being exploitable
+  </ti>
+</tr>
+</table>
+
+<p>
+The default Linux kernel also supports certain capabilities, grouped in =
the
+so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those
+capabilities in our <uri
+link=3D"/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> doc=
ument.
+</p>
+
+</body>
+</section>
+<section>
+<title>Using pspax</title>
+<body>
+
+<p>
+The <c>pspax</c> application, part of the <c>pax-utils</c> package, disp=
lays the
+run-time capabilities of all programs you have permission for. On Linux =
kernels
+with additional support for extended attributes (such as SELinux) those
+attributes are shown as well.
+</p>
+
+<p>
+When ran, <c>pspax</c> shows the following information:
+</p>
+
+<table>
+<tr>
+  <th>Column</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>USER</ti>
+  <ti>Owner of the process</ti>
+</tr>
+<tr>
+  <ti>PID</ti>
+  <ti>Process id</ti>
+</tr>
+<tr>
+  <ti>PAX</ti>
+  <ti>Run-time PaX flags (if applicable)</ti>
+</tr>
+<tr>
+  <ti>MAPS</ti>
+  <ti>Write/eXecute markings for the process map</ti>
+</tr>
+<tr>
+  <ti>ELF_TYPE</ti>
+  <ti>Process executable type: ET_DYN or ET_EXEC</ti>
+</tr>
+<tr>
+  <ti>NAME</ti>
+  <ti>Name of the process</ti>
+</tr>
+<tr>
+  <ti>CAPS</ti>
+  <ti>POSIX.1e capabilities (see note)</ti>
+</tr>
+<tr>
+  <ti>ATTR</ti>
+  <ti>Extended attributes (if applicable)</ti>
+</tr>
+</table>
+
+<note>
+<c>pspax</c> only displays these capabilities when it is linked with
+the external capabilities library. This requires you to build <c>pax-uti=
ls</c>
+with -DWANT_SYSCAP.
+</note>
+
+<p>
+By default, <c>pspax</c> does not show any kernel processes. If you want=
 those
+to be taken as well, use the <c>-a</c> switch.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter id=3D"dumpelf">
+<title>Programming with ELF files</title>
+<section>
+<title>The dumpelf Utility</title>
+<body>
+
+<p>
+With the <c>dumpelf</c> utility you can convert a ELF file into human re=
adable C
+code that defines a structure with the same image as the original ELF fi=
le.
+</p>
+
+<pre caption=3D"dumpelf example">
+$ <i>dumpelf /bin/hostname</i>
+#include &lt;elf.h&gt;
+
+<comment>/*
+ * ELF dump of '/bin/hostname'
+ *     10276 (0x2824) bytes
+ */</comment>
+
+struct {
+        Elf32_Ehdr ehdr;
+        Elf32_Phdr phdrs[8];
+        Elf32_Shdr shdrs[26];
+} dumpedelf_0 =3D {
+
+.ehdr =3D {
+<comment>(... Output stripped ...)</comment>
+</pre>
+
+</body>
+</section>
+</chapter>
+</guide>