* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2011-09-08 23:10 Anthony G. Basile
0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2011-09-08 23:10 UTC (permalink / raw
To: gentoo-commits
commit: 8452e2a1ce450503bd0c15f8dfd7bd08de7430dc
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 8 23:10:14 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Sep 8 23:10:14 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=8452e2a1
doc/paxctl-ng-design.txt: first draft
---
doc/paxctl-ng-design.txt | 43 +++++++++++++++++++++++++++++++++++++++++++
1 files changed, 43 insertions(+), 0 deletions(-)
diff --git a/doc/paxctl-ng-design.txt b/doc/paxctl-ng-design.txt
new file mode 100644
index 0000000..18f59f4
--- /dev/null
+++ b/doc/paxctl-ng-design.txt
@@ -0,0 +1,43 @@
+
+INTRODUCTION
+
+Currently there are two ways to perform pax markings, one is by EI_PAX and
+the other by PT_PAX. The former is a legacy marking which uses bytes 14
+and 15 of the ehdr.e_ident[] field. These are in a reserved area of the ELF
+header and could be allocated to a different official use by some future
+standard [1]. For this reason, it is undesireable to continue using this
+marking scheme. The second method introduces a new program header called
+PAX_FLAGS which hosts the markings. While this avoids hijacking a reserved
+area of an ELF binary, it introduces the problem of pre-compiled binaries
+which do not have a PT_PAX program header. Binaries compiled on a Gentoo
+system automatically have a PT_PAX header because of patched binutils. However
+binaries compiled on other systems do not necessarily have such a section.
+This can be remedied by either adding a PT_PAX header or converting a GNU_STACK
+header. However both of these are problematic. In the case of self-checking
+elf binaries, adding a PT_PAX header will cause a failure of the check.
+Alternatively, converting a GNU_STACK header can cause the binary to fail
+to execute correctly.
+
+A third possibility is being consider, but it is in its infancy as of this
+writing. The pax markings can be put in the Extended File Attributes, much
+like selinux labels. This is not without its difficulties because not all
+filesystems are capable of supporting xattrs. However, work on making
+filesystems, like tmpfs, and archiving tools, like tar, aware of xattrs
+is maturing and migrating pax markings to xattrs is now a design possibility.
+
+
+PURPOSAL
+
+To avoid ambiguity in Hardened Gentoo and to smooth the transition to a
+future, we propose the following standards to how pax markings are treated:
+
+1) The kernel.
+
+2) Userland utility.
+
+
+
+REFERENCE
+
+[1] http://refspecs.freestandards.org/elf/
+
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2011-09-08 23:40 Anthony G. Basile
0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2011-09-08 23:40 UTC (permalink / raw
To: gentoo-commits
commit: c29a5d5f3be5a22025aa7a783ecfcad5fbbaf548
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 8 23:40:50 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Sep 8 23:40:50 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=c29a5d5f
doc/paxctl-ng-design.txt: ready for release as RFC
---
doc/paxctl-ng-design.txt | 41 +++++++++++++++++++++++++++++++++++++++--
1 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/doc/paxctl-ng-design.txt b/doc/paxctl-ng-design.txt
index 18f59f4..9d837cf 100644
--- a/doc/paxctl-ng-design.txt
+++ b/doc/paxctl-ng-design.txt
@@ -31,9 +31,46 @@ PURPOSAL
To avoid ambiguity in Hardened Gentoo and to smooth the transition to a
future, we propose the following standards to how pax markings are treated:
-1) The kernel.
+1) The kernel. The kernel will be patched to force respect of PT_PAX markings
+first, and only if these are missing, revert to EI_PAX. If both markings are
+misssing, then the kernel will revert to enforcing maximum protection, meaning
-2) Userland utility.
+ PAGEEXEC enabled
+ SEGMEXEC enabled
+ MPROTECT enabled
+ EMUTRAMP disabled
+ RANDMMAP enabled
+
+Once xattr pax markings are introduced, then the kernel will be patched to
+force respect of xattr markings first. If these are missing, either because
+the file has not been pax marked in their xattr fields, or because the
+filesystem doesn't support xattrs, then the kernel will revert to using
+PT_PAX. If the PT_PAX header is missing, the kernel will then revert to
+EI_PAX markings, and if even these are missing, it will finaly revert to
+enforcing maximum protection.
+
+
+2) Userland utility. A new userland utility will be required to ensure
+consistency between the two (eventually three) types of pax markings.
+
+If an ELF binary has a PT_PAX header, it will use that for pax markings.
+For consistency, and until standards say otherwise, it will also mark
+the EI_PAX field with the same flags.
+
+If the binary does not have a PT_PAX header, it will not attempt to add
+such a header, nor convert a GNU_STACK header. Rather, it will only mark
+the EI_PAX fields.
+
+When xattr pax markings are introduced, then the utility will try to add
+the same markings to all three: xattrs, PT_PAX and EI_PAX. It may fail
+to add the markings to either xattrs and/or PT_PAX for the reasons stated
+above, but at least the markings will be in EI_PAX.
+
+
+3) It is hoped that by the time EI_PAX markings must be deprecated because
+ehdr.e_ident[14] and ehdr.e_ident[15] are allocated to some other official
+purpose, xattr marking will be fully supported and EI_PAX can be dropped
+from both the kernel and the userland utility.
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2011-09-18 16:01 Anthony G. Basile
0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2011-09-18 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 823bca2775589539ab4c0d0f04e5401e1103f01f
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 18 16:01:01 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Sep 18 16:01:01 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=823bca27
doc/make.sh: switched fix-gnustack.1 to pod generated
---
doc/fix-gnustack.1 | 196 +++++++++++++++++++++++++++++++++++++---------
doc/fix-gnustack.pod | 41 ++++++++++
doc/make.sh | 14 ++++
doc/paxctl-ng-design.txt | 2 +-
4 files changed, 215 insertions(+), 38 deletions(-)
diff --git a/doc/fix-gnustack.1 b/doc/fix-gnustack.1
index 79447bd..0b98b51 100644
--- a/doc/fix-gnustack.1
+++ b/doc/fix-gnustack.1
@@ -1,39 +1,161 @@
-.TH "fix-gnustack" "1" "14 April 2011" "fix-gnustack Manual" "Documentation for elfix"
-.SH NAME
-fix-gnustack \- Query or clear the ELF GNU_STACK executable flag
-.SH SYNOPSIS
-.B fix-gnustack
-scans the program headers of ELF binaries or shared object libraries
-and reports if a GNU_STACK entry is marked both writeable and executable.
-On PaX hardened kernels where memory protection (MPROTECT) is enforced,
-execution of binaries with WX GNU_STACKS, or binaries linking against
-libraries with WX GNU_STACKS, is terminated by the kernel. When
-.B fix-gnustack
-is called without the
-.B \-f
-option, it simply reports the RWX (read/write/execute) flags on any GNU_STACK
-found. When called with the
-.B \-f
-option, it clears the X flag if both W and X are found.
-.RB [option]\ ELF
-.SH DESCRIPTION
-.B fix-gnustack
-is a program which
-.SH OPTIONS
-.TP
-.B \-f
-Remove the X flag (fix).
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C` ""
+. ds C' ""
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "FIX-GNUSTACK 1"
+.TH FIX-GNUSTACK 1 "2011-04-14" "elfix 0.1" "Documentation for elfix"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+fix\-gnustack \- Query or clear the ELF GNU_STACK executable flag
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBfix-gnustack\fR scans the program headers of \s-1ELF\s0 binaries or shared
+object libraries and reports if a \s-1GNU_STACK\s0 entry is marked both
+writeable and executable. On PaX hardened kernels where memory
+protection (\s-1MPROTECT\s0) is enforced, execution of binaries with \s-1WX\s0
+\&\s-1GNU_STACKS\s0, or binaries linking against libraries with \s-1WX\s0 \s-1GNU_STACKS\s0,
+is terminated by the kernel. When \fBfix-gnustack\fR is called without
+the \fB\-f\fR option, it simply reports the \s-1RWX\s0 (read/write/execute)
+flags on any \s-1GNU_STACK\s0 found. When called with the \fB\-f\fR option,
+it clears the X flag if both W and X are found.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-f\fR" 4
+.IX Item "-f"
+Remove the X flag, i.e., \*(L"fix\*(R" the executable.
.SH "HOMEPAGE"
-.PP
-\m[blue]\fBhttp://dev\&.gentoo\&.org/\&~blueness/elfix\fR\m[]
+.IX Header "HOMEPAGE"
+http://dev.gentoo.org/~blueness/elfix
.SH "REPORTING BUGS"
-.PP
-\m[blue]\fBhttp://bugs\&.gentoo\&.org\fR\m[]
-.SH SEE ALSO
-.BR scanelf (1),
-.BR dumpelf (1),
-.BR paxctl (1),
-.BR pspax (1).
-.SH AUTHORS
-.B Anthony G. Basile
-<blueness@gentoo.org>
+.IX Header "REPORTING BUGS"
+Please report bugs at http://bugs.gentoo.org.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBscanelf\fR(1), \fBdumpelf\fR(1), \fBpaxctl\fR(1), \fBpaxctl-ng\fR(1), \fBpspax\fR(1).
+.SH "AUTHORS"
+.IX Header "AUTHORS"
+\&\fBAnthony G. Basile\fR <blueness@gentoo.org>
diff --git a/doc/fix-gnustack.pod b/doc/fix-gnustack.pod
new file mode 100644
index 0000000..3c6f6ba
--- /dev/null
+++ b/doc/fix-gnustack.pod
@@ -0,0 +1,41 @@
+=head1 NAME
+
+B<fix-gnustack> - Query or clear the ELF GNU_STACK executable flag
+
+=head1 SYNOPSIS
+
+B<fix-gnustack> scans the program headers of ELF binaries or shared
+object libraries and reports if a GNU_STACK entry is marked both
+writeable and executable. On PaX hardened kernels where memory
+protection (MPROTECT) is enforced, execution of binaries with WX
+GNU_STACKS, or binaries linking against libraries with WX GNU_STACKS,
+is terminated by the kernel. When B<fix-gnustack> is called without
+the B<-f> option, it simply reports the RWX (read/write/execute)
+flags on any GNU_STACK found. When called with the B<-f> option,
+it clears the X flag if both W and X are found.
+
+=head1 OPTIONS
+
+=over
+
+=item B<-f>
+
+Remove the X flag, i.e., "fix" the executable.
+
+=back
+
+=head1 HOMEPAGE
+
+http://dev.gentoo.org/~blueness/elfix
+
+=head1 REPORTING BUGS
+
+Please report bugs at http://bugs.gentoo.org.
+
+=head1 SEE ALSO
+
+B<scanelf>(1), B<dumpelf>(1), B<paxctl>(1), B<paxctl-ng>(1), B<pspax>(1).
+
+=head1 AUTHORS
+
+B<Anthony G. Basile> <blueness@gentoo.org>
diff --git a/doc/make.sh b/doc/make.sh
new file mode 100755
index 0000000..fc81032
--- /dev/null
+++ b/doc/make.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+#Run this on developer side, and distribute troff
+#in case the end user doesn't have pod2man
+
+rm -f fix-gnustack.1
+
+pod2man \
+ --official \
+ --section="1" \
+ --release="elfix 0.1" \
+ --center="Documentation for elfix" \
+ --date="2011-04-14" \
+ fix-gnustack.pod > fix-gnustack.1
diff --git a/doc/paxctl-ng-design.txt b/doc/paxctl-ng-design.txt
index 9d837cf..9de06a0 100644
--- a/doc/paxctl-ng-design.txt
+++ b/doc/paxctl-ng-design.txt
@@ -33,7 +33,7 @@ future, we propose the following standards to how pax markings are treated:
1) The kernel. The kernel will be patched to force respect of PT_PAX markings
first, and only if these are missing, revert to EI_PAX. If both markings are
-misssing, then the kernel will revert to enforcing maximum protection, meaning
+missing, then the kernel will revert to enforcing maximum protection, meaning
PAGEEXEC enabled
SEGMEXEC enabled
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2011-09-18 22:58 Anthony G. Basile
0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2011-09-18 22:58 UTC (permalink / raw
To: gentoo-commits
commit: da253f8acd8503155df26bf4b83a69ac89fe3ff9
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 18 22:58:17 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Sep 18 22:58:17 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=da253f8a
doc/Makefile.am: add install paxctl-ng.1 man page
---
doc/Makefile.am | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index bb38c50..f599022 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1 +1 @@
-dist_man_MANS = fix-gnustack.1
+dist_man_MANS = fix-gnustack.1 paxctl-ng.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2011-10-22 22:14 Anthony G. Basile
0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2011-10-22 22:14 UTC (permalink / raw
To: gentoo-commits
commit: 77ba177174e78c893b1c689a2919e884ad9b7ecb
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 22 22:14:48 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Oct 22 22:14:48 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=77ba1771
doc/revdep-pax.pod: tighten up doc language
---
doc/fix-gnustack.1 | 2 +-
doc/make.sh | 6 +++---
doc/paxctl-ng.1 | 2 +-
doc/revdep-pax.1 | 33 ++++++++++++++++-----------------
doc/revdep-pax.pod | 33 ++++++++++++++++-----------------
5 files changed, 37 insertions(+), 39 deletions(-)
diff --git a/doc/fix-gnustack.1 b/doc/fix-gnustack.1
index 2c813c6..7f7f4c8 100644
--- a/doc/fix-gnustack.1
+++ b/doc/fix-gnustack.1
@@ -124,7 +124,7 @@
.\" ========================================================================
.\"
.IX Title "FIX-GNUSTACK 1"
-.TH FIX-GNUSTACK 1 "2011-04-14" "elfix 0.2" "Documentation for elfix"
+.TH FIX-GNUSTACK 1 "2011-04-14" "elfix 0.3" "Documentation for elfix"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/doc/make.sh b/doc/make.sh
index 78bca35..07af7bd 100755
--- a/doc/make.sh
+++ b/doc/make.sh
@@ -8,7 +8,7 @@ rm -f fix-gnustack.1
pod2man \
--official \
--section="1" \
- --release="elfix 0.2" \
+ --release="elfix 0.3" \
--center="Documentation for elfix" \
--date="2011-04-14" \
fix-gnustack.pod > fix-gnustack.1
@@ -16,7 +16,7 @@ pod2man \
pod2man \
--official \
--section="1" \
- --release="elfix 0.2" \
+ --release="elfix 0.3" \
--center="Documentation for elfix" \
--date="2011-08-18" \
paxctl-ng.pod > paxctl-ng.1
@@ -24,7 +24,7 @@ pod2man \
pod2man \
--official \
--section="1" \
- --release="elfix 0.2" \
+ --release="elfix 0.3" \
--center="Documentation for elfix" \
--date="2011-10-19" \
revdep-pax.pod > revdep-pax.1
diff --git a/doc/paxctl-ng.1 b/doc/paxctl-ng.1
index 218dde3..1623800 100644
--- a/doc/paxctl-ng.1
+++ b/doc/paxctl-ng.1
@@ -124,7 +124,7 @@
.\" ========================================================================
.\"
.IX Title "PAXCTL-NG 1"
-.TH PAXCTL-NG 1 "2011-08-18" "elfix 0.2" "Documentation for elfix"
+.TH PAXCTL-NG 1 "2011-08-18" "elfix 0.3" "Documentation for elfix"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/doc/revdep-pax.1 b/doc/revdep-pax.1
index 944a57b..8e2b008 100644
--- a/doc/revdep-pax.1
+++ b/doc/revdep-pax.1
@@ -124,7 +124,7 @@
.\" ========================================================================
.\"
.IX Title "REVDEP-PAX 1"
-.TH REVDEP-PAX 1 "2011-10-19" "elfix 0.2" "Documentation for elfix"
+.TH REVDEP-PAX 1 "2011-10-19" "elfix 0.3" "Documentation for elfix"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -147,23 +147,22 @@ revdep\-pax \- find mismatching PaX markings between ELF objects and their libra
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBrevdep-pax\fR finds mismatching PaX markings between an \s-1ELF\s0 object and the
-libraries that object dynamically links against. When executing an \s-1ELF\s0 binary
-that links against libraries, the PaX hardened kernel ignores the library
-markings and uses the executable markings for enforcing PaX restrictions.
-It is desireable in some circumstances to migrate back the library markings
-to the binaries.
+libraries which that object dynamically links against. When executing an \s-1ELF\s0
+binary that links against libraries, the PaX hardened kernel ignores the libraries'
+markings and uses the executable's markings to enforce PaX restrictions.
+It is desireable in some circumstances to reverse migrate a library's markings
+to the binaries that link against it.
.PP
-revdep-pax can do its work by either starting from the object and mapping
-forwards to its libraries, or by starting from a library and mapping
-backwards to all the objects that link against it. The library can either
-be specified by the \s-1SONAME\s0 as it is reported by \fBldd\fR(1), or by the full
-path to the \s-1LIBRARY\s0 file. Symbolic links are dereferenced. The user can
-optionally scan for all forward mappings on the system (\-f), for all reverse
-mappings (\-r), for forward mappings of just one \s-1OBJECT\s0 (\-b), for reverse
-mappings of just one \s-1SONAME\s0 (\-s) or one \s-1LIBRARY\s0 (\-l). In verbose mode (\-v),
-all mappings are reported, not just mismatching ones, and in mark mode (\-m),
-the user is prompted whether to proceed with marking the found object so
-its PaX flags match its source.
+revdep-pax can either forward migrate PaX markings from an \s-1ELF\s0 object to its
+libraries, or reverse migrate from a library to all the objects that link
+against it. The library can either be specified by its \s-1SONAME\s0 as it is reported
+by \fBldd\fR(1), or by the full path to the \s-1LIBRARY\s0 file. Symbolic links are
+dereferenced. The user can optionally scan for all forward mappings on the
+system (\-f), for all reverse mappings (\-r), for forward mappings of just one
+\&\s-1OBJECT\s0 (\-b), for reverse mappings of just one \s-1SONAME\s0 (\-s) or one \s-1LIBRARY\s0 (\-l).
+In verbose mode (\-v), all mappings are reported, not just mismatching ones,
+and in mark mode (\-m), the user is prompted whether to proceed with the migration,
+so that the PaX flags of the target inherit the flags of the source.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-f\fR Scan the system for all forward mappings" 4
diff --git a/doc/revdep-pax.pod b/doc/revdep-pax.pod
index 6bb08e8..fc46418 100644
--- a/doc/revdep-pax.pod
+++ b/doc/revdep-pax.pod
@@ -19,23 +19,22 @@ B<revdep-pax> [-h]
=head1 DESCRIPTION
B<revdep-pax> finds mismatching PaX markings between an ELF object and the
-libraries that object dynamically links against. When executing an ELF binary
-that links against libraries, the PaX hardened kernel ignores the library
-markings and uses the executable markings for enforcing PaX restrictions.
-It is desireable in some circumstances to migrate back the library markings
-to the binaries.
-
-revdep-pax can do its work by either starting from the object and mapping
-forwards to its libraries, or by starting from a library and mapping
-backwards to all the objects that link against it. The library can either
-be specified by the SONAME as it is reported by B<ldd>(1), or by the full
-path to the LIBRARY file. Symbolic links are dereferenced. The user can
-optionally scan for all forward mappings on the system (-f), for all reverse
-mappings (-r), for forward mappings of just one OBJECT (-b), for reverse
-mappings of just one SONAME (-s) or one LIBRARY (-l). In verbose mode (-v),
-all mappings are reported, not just mismatching ones, and in mark mode (-m),
-the user is prompted whether to proceed with marking the found object so
-its PaX flags match its source.
+libraries which that object dynamically links against. When executing an ELF
+binary that links against libraries, the PaX hardened kernel ignores the libraries'
+markings and uses the executable's markings to enforce PaX restrictions.
+It is desireable in some circumstances to reverse migrate a library's markings
+to the binaries that link against it.
+
+revdep-pax can either forward migrate PaX markings from an ELF object to its
+libraries, or reverse migrate from a library to all the objects that link
+against it. The library can either be specified by its SONAME as it is reported
+by B<ldd>(1), or by the full path to the LIBRARY file. Symbolic links are
+dereferenced. The user can optionally scan for all forward mappings on the
+system (-f), for all reverse mappings (-r), for forward mappings of just one
+OBJECT (-b), for reverse mappings of just one SONAME (-s) or one LIBRARY (-l).
+In verbose mode (-v), all mappings are reported, not just mismatching ones,
+and in mark mode (-m), the user is prompted whether to proceed with the migration,
+so that the PaX flags of the target inherit the flags of the source.
=head1 OPTIONS
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2012-11-10 22:22 Anthony G. Basile
0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2012-11-10 22:22 UTC (permalink / raw
To: gentoo-commits
commit: 5d7037d9dc58e4c0a94ac4dfb30af7dca0e6a2c6
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 10 22:21:55 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Nov 10 22:21:55 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=5d7037d9
doc/paxctl-ng.{pod,1}: update documentation for -L -l flags
---
doc/paxctl-ng.1 | 23 ++++++++++++++++-------
doc/paxctl-ng.pod | 23 ++++++++++++++++-------
2 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/doc/paxctl-ng.1 b/doc/paxctl-ng.1
index 5a57a33..2f3a904 100644
--- a/doc/paxctl-ng.1
+++ b/doc/paxctl-ng.1
@@ -147,6 +147,10 @@ paxctl\-ng \- get or set the PaX flags for both PT_PAX and XT_PAX markings
.PP
\&\fBpaxctl-ng\fR \-f [\-v] \s-1ELF\s0
.PP
+\&\fBpaxctl-ng\fR \-L [\-v] \s-1ELF\s0
+.PP
+\&\fBpaxctl-ng\fR \-l [\-v] \s-1ELF\s0
+.PP
\&\fBpaxctl-ng\fR [\-h]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
@@ -172,13 +176,14 @@ Extended Attributes, otherwise these are lost, unlike \s-1PT_PAX\s0 markings whi
are carried within the binary itself.
.PP
\&\fBpaxctl-ng\fR is opportunistic without taking control away from the user. If both
-a \s-1PT_PAX\s0 program header and \s-1XT_PAX\s0 extended attribute field \*(L"user.pax\*(R" exist, and
-then both markings will be equally updated when the user modifies the flags. If
-only one marking exists, then only that marking will be updated. Under no circumstances
-will \fBpaxctl-ng\fR create a \s-1PT_PAX\s0 program header. It will attempt to create an \s-1XT_PAX\s0
-extended attribute field if it is instructed to do so with the \-C or \-c flag,
-and it will attempt to synchronize the \s-1PT_PAX\s0 and \s-1XT_PAX\s0 markings if given the \-F
-or \-f flag.
+a \s-1PT_PAX\s0 program header and \s-1XT_PAX\s0 extended attribute field \*(L"user.pax\*(R" exist, then
+both markings will be equally updated when the user modifies the flags, unless the
+\&\fB\-L\fR or \fB\-l\fR flags are given, limiting the markigs to just \s-1PT_PAX\s0 or \s-1XT_PAX\s0. If
+only one marking is possible, then only that marking will be updated. Under no
+circumstances will \fBpaxctl-ng\fR create a \s-1PT_PAX\s0 program header as \fBpaxctl\fR does.
+It will only attempt to create an \s-1XT_PAX\s0 extended attribute field if it is instructed
+to do so with the \-C or \-c flag, and it will attempt to synchronize the \s-1PT_PAX\s0 and
+\&\s-1XT_PAX\s0 markings if given the \fB\-F\fR or \fB\-f\fR flag.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-P\fR or \fB\-p\fR Enable or disable \s-1PAGEEXEC\s0" 4
@@ -211,6 +216,10 @@ eg. \-Pp for \s-1PAGEEXEC\s0, then the default setting \- is used.
.IX Item "-F Copy PT_PAX flags to XT_PAX, if possible"
.IP "\fB\-f\fR Copy \s-1XT_PAX\s0 flags to \s-1PT_PAX\s0, if possible" 4
.IX Item "-f Copy XT_PAX flags to PT_PAX, if possible"
+.IP "\fB\-L\fR Only set \s-1PT_APX\s0 flags, if both are possible" 4
+.IX Item "-L Only set PT_APX flags, if both are possible"
+.IP "\fB\-l\fR Only set \s-1XT_PAX\s0 flags, if both are possible" 4
+.IX Item "-l Only set XT_PAX flags, if both are possible"
.IP "\fB\-v\fR View the flags" 4
.IX Item "-v View the flags"
.IP "\fB\-h\fR Print out a short help message and exit." 4
diff --git a/doc/paxctl-ng.pod b/doc/paxctl-ng.pod
index 90aac3d..19a9026 100644
--- a/doc/paxctl-ng.pod
+++ b/doc/paxctl-ng.pod
@@ -18,6 +18,10 @@ B<paxctl-ng> -F [-v] ELF
B<paxctl-ng> -f [-v] ELF
+B<paxctl-ng> -L [-v] ELF
+
+B<paxctl-ng> -l [-v] ELF
+
B<paxctl-ng> [-h]
=head1 DESCRIPTION
@@ -44,13 +48,14 @@ Extended Attributes, otherwise these are lost, unlike PT_PAX markings which
are carried within the binary itself.
B<paxctl-ng> is opportunistic without taking control away from the user. If both
-a PT_PAX program header and XT_PAX extended attribute field "user.pax" exist, and
-then both markings will be equally updated when the user modifies the flags. If
-only one marking exists, then only that marking will be updated. Under no circumstances
-will B<paxctl-ng> create a PT_PAX program header. It will attempt to create an XT_PAX
-extended attribute field if it is instructed to do so with the -C or -c flag,
-and it will attempt to synchronize the PT_PAX and XT_PAX markings if given the -F
-or -f flag.
+a PT_PAX program header and XT_PAX extended attribute field "user.pax" exist, then
+both markings will be equally updated when the user modifies the flags, unless the
+B<-L> or B<-l> flags are given, limiting the markigs to just PT_PAX or XT_PAX. If
+only one marking is possible, then only that marking will be updated. Under no
+circumstances will B<paxctl-ng> create a PT_PAX program header as B<paxctl> does.
+It will only attempt to create an XT_PAX extended attribute field if it is instructed
+to do so with the -C or -c flag, and it will attempt to synchronize the PT_PAX and
+XT_PAX markings if given the B<-F> or B<-f> flag.
=head1 OPTIONS
@@ -85,6 +90,10 @@ eg. -Pp for PAGEEXEC, then the default setting - is used.
=item B<-f> Copy XT_PAX flags to PT_PAX, if possible
+=item B<-L> Only set PT_APX flags, if both are possible
+
+=item B<-l> Only set XT_PAX flags, if both are possible
+
=item B<-v> View the flags
=item B<-h> Print out a short help message and exit.
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2014-07-30 17:29 Anthony G. Basile
2014-08-19 14:01 ` Anthony G. Basile
0 siblings, 1 reply; 10+ messages in thread
From: Anthony G. Basile @ 2014-07-30 17:29 UTC (permalink / raw
To: gentoo-commits
commit: d9eca7543451d9cfd176427451c5ca1c805ae976
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 30 17:30:57 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Jul 30 17:30:57 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=d9eca754
doc/Makefile.am: fix lost fix-gnustack.1
---
doc/Makefile.am | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 323b53f..836014b 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -4,3 +4,8 @@ dist_man_MANS = paxctl-ng.1 revdep-pax.1
if BUILD_ELF
dist_man_MANS += fix-gnustack.1
endif
+
+# I don't know why I need this, but without it, I don't get fix-gnustack.1 distributed.
+# This is since commit 414cfa1770a8cfc46308149deecf9c0eef60a5bb. It will be fixed once
+# fix-gnustack is broken out.
+EXTRA_DIST = fix-gnustack.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
2014-07-30 17:29 Anthony G. Basile
@ 2014-08-19 14:01 ` Anthony G. Basile
0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2014-08-19 14:01 UTC (permalink / raw
To: gentoo-commits
commit: d9eca7543451d9cfd176427451c5ca1c805ae976
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 30 17:30:57 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Jul 30 17:30:57 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=d9eca754
doc/Makefile.am: fix lost fix-gnustack.1
---
doc/Makefile.am | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 323b53f..836014b 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -4,3 +4,8 @@ dist_man_MANS = paxctl-ng.1 revdep-pax.1
if BUILD_ELF
dist_man_MANS += fix-gnustack.1
endif
+
+# I don't know why I need this, but without it, I don't get fix-gnustack.1 distributed.
+# This is since commit 414cfa1770a8cfc46308149deecf9c0eef60a5bb. It will be fixed once
+# fix-gnustack is broken out.
+EXTRA_DIST = fix-gnustack.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2014-10-13 20:49 Anthony G. Basile
0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2014-10-13 20:49 UTC (permalink / raw
To: gentoo-commits
commit: 3caa89b8d2b99fd42d9c9a7aa0cfc929945f124a
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 13 20:49:41 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Oct 13 20:49:47 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=3caa89b8
doc: update pod files
---
doc/paxctl-ng.1 | 61 ++++++++++++++++++++++++++---------------------
doc/paxctl-ng.pod | 5 +---
doc/revdep-pax.1 | 70 +++++++++++++++++++++++++++---------------------------
doc/revdep-pax.pod | 18 --------------
4 files changed, 70 insertions(+), 84 deletions(-)
diff --git a/doc/paxctl-ng.1 b/doc/paxctl-ng.1
index 5cb923a..72d57cb 100644
--- a/doc/paxctl-ng.1
+++ b/doc/paxctl-ng.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -38,6 +38,8 @@
. ds PI \(*p
. ds L" ``
. ds R" ''
+. ds C`
+. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+. if \nF \{
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
+. if !\nF==2 \{
+. nr % 0
+. nr F 2
+. \}
+. \}
.\}
+.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -124,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PAXCTL-NG 1"
-.TH PAXCTL-NG 1 "2014-07-30" "elfix 0.9" "Documentation for elfix"
+.TH PAXCTL-NG 1 "2014-10-13" "elfix 0.9" "Documentation for elfix"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -147,7 +156,7 @@ paxctl\-ng \- get, set or create either PT_PAX or XATTR_PAX flags
\&\fBpaxctl-ng\fR is used to get, set or create the PaX flags on \s-1ELF\s0 executables which
determine the memory restrictions on process(es) spawned from them when run under
a PaX enabled kernel. \fBpaxctl-ng\fR manages two types of markings, either the older
-style \s-1PT_PAX\s0 markings which put the flags in an \s-1ELF\s0 program header named \s-1PAX_FLAGS\s0,
+style \s-1PT_PAX\s0 markings which put the flags in an \s-1ELF\s0 program header named \s-1PAX_FLAGS,\s0
or the newer style \s-1XATTR_PAX\s0 markings which put the flags in an extended attribute
field named user.pax.flags on the filesystem. Whenever possible, \fBpaxctl-ng\fR
will try to set both \s-1PT_PAX\s0 and \s-1XATTR_PAX\s0 to the same flags.
@@ -169,7 +178,7 @@ are carried within the binary itself.
\&\fBpaxctl-ng\fR is opportunistic without taking control away from the user. If both
a \s-1PAX_FLAGS\s0 program header and a user.pax.flags extended attribute field exist, then
both will be equally updated when the user modifies flags; unless the \fB\-L\fR or \fB\-l\fR
-flags are given, in which case the markings are limiting to just \s-1PT_PAX\s0 or \s-1XATTR_PAX\s0,
+flags are given, in which case the markings are limiting to just \s-1PT_PAX\s0 or \s-1XATTR_PAX,\s0
respectively. If only one marking is possible, then only that marking will be updated.
Under no circumstances will \fBpaxctl-ng\fR create a \s-1PAX_FLAGS\s0 program header as \fBpaxctl\fR
does. It will only attempt to create an extended attribute field if it is instructed
@@ -182,22 +191,20 @@ Finally, if the user wishes, he can remove the extended attribute field by runni
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-P\fR or \fB\-p\fR Enable or disable \s-1PAGEEXEC\s0" 4
-.IX Item "-P or -p Enable or disable PAGEEXEC"
+.IX Item "-P or -p Enable or disable PAGEEXEC"
.PD 0
.IP "\fB\-S\fR or \fB\-s\fR Enable or disable \s-1SEGMEXEC\s0" 4
-.IX Item "-S or -s Enable or disable SEGMEXEC"
+.IX Item "-S or -s Enable or disable SEGMEXEC"
.IP "\fB\-M\fR or \fB\-m\fR Enable or disable \s-1MPROTECT\s0" 4
-.IX Item "-M or -m Enable or disable MPROTECT"
+.IX Item "-M or -m Enable or disable MPROTECT"
.IP "\fB\-E\fR or \fB\-e\fR Enable or disable \s-1EMUTRAMP\s0" 4
-.IX Item "-E or -e Enable or disable EMUTRAMP"
+.IX Item "-E or -e Enable or disable EMUTRAMP"
.IP "\fB\-R\fR or \fB\-r\fR Enable or disable \s-1RANDMMAP\s0" 4
-.IX Item "-R or -r Enable or disable RANDMMAP"
+.IX Item "-R or -r Enable or disable RANDMMAP"
.IP "\fB\-X\fR or \fB\-x\fR Enable or disable \s-1RANDEXEC\s0" 4
-.IX Item "-X or -x Enable or disable RANDEXEC"
-.IP "" 4
+.IX Item "-X or -x Enable or disable RANDEXEC"
.PD
-If both enabling and disabling flags are set for one item,
-eg. \-Pp for \s-1PAGEEXEC\s0, then the default setting '\-' is used.
+If both enabling and disabling flags are set for one item, eg. \-Pp for \s-1PAGEEXEC,\s0 then the default setting '\-' is used.
.IP "\fB\-Z\fR Set most secure settings (PSMeRx)." 4
.IX Item "-Z Set most secure settings (PSMeRx)."
.PD 0
@@ -210,14 +217,14 @@ eg. \-Pp for \s-1PAGEEXEC\s0, then the default setting '\-' is used.
.ie n .IP "\fB\-d\fR Delete \s-1XATTR_PAX\s0 field, ""user.pax.flags""." 4
.el .IP "\fB\-d\fR Delete \s-1XATTR_PAX\s0 field, ``user.pax.flags''." 4
.IX Item "-d Delete XATTR_PAX field, user.pax.flags."
-.IP "\fB\-F\fR Copy \s-1PT_PAX\s0 flags to \s-1XATTR_PAX\s0, if possible." 4
+.IP "\fB\-F\fR Copy \s-1PT_PAX\s0 flags to \s-1XATTR_PAX,\s0 if possible." 4
.IX Item "-F Copy PT_PAX flags to XATTR_PAX, if possible."
-.IP "\fB\-f\fR Copy \s-1XATTR_PAX\s0 flags to \s-1PT_PAX\s0, if possible." 4
+.IP "\fB\-f\fR Copy \s-1XATTR_PAX\s0 flags to \s-1PT_PAX,\s0 if possible." 4
.IX Item "-f Copy XATTR_PAX flags to PT_PAX, if possible."
-.IP "\fB\-L\fR When given with other flags, only set \s-1PT_PAX\s0 flags, if possible. When given alone, return \s-1EXIT_SUCCESS\s0 if \s-1PT_PAX\s0 is supported, else return \s-1EXIT_FAILURE\s0." 4
-.IX Item "-L When given with other flags, only set PT_PAX flags, if possible. When given alone, return EXIT_SUCCESS if PT_PAX is supported, else return EXIT_FAILURE."
-.IP "\fB\-l\fR When given with other flags, only set \s-1XATTR_PAX\s0 flags, if possible. When given alone, return \s-1EXIT_SUCCESS\s0 if \s-1XATTR_PAX\s0 is supported, else return \s-1EXIT_FAILURE\s0." 4
-.IX Item "-l When given with other flags, only set XATTR_PAX flags, if possible. When given alone, return EXIT_SUCCESS if XATTR_PAX is supported, else return EXIT_FAILURE."
+.IP "\fB\-L\fR When given with other flags, only set \s-1PT_PAX\s0 flags, if possible. When given alone, return \s-1EXIT_SUCCESS\s0 if \s-1PT_PAX\s0 is supported, else return \s-1EXIT_FAILURE.\s0" 4
+.IX Item "-L When given with other flags, only set PT_PAX flags, if possible. When given alone, return EXIT_SUCCESS if PT_PAX is supported, else return EXIT_FAILURE."
+.IP "\fB\-l\fR When given with other flags, only set \s-1XATTR_PAX\s0 flags, if possible. When given alone, return \s-1EXIT_SUCCESS\s0 if \s-1XATTR_PAX\s0 is supported, else return \s-1EXIT_FAILURE.\s0" 4
+.IX Item "-l When given with other flags, only set XATTR_PAX flags, if possible. When given alone, return EXIT_SUCCESS if XATTR_PAX is supported, else return EXIT_FAILURE."
.IP "\fB\-v\fR View the flags" 4
.IX Item "-v View the flags"
.IP "\fB\-h\fR Print out a short help message and exit." 4
diff --git a/doc/paxctl-ng.pod b/doc/paxctl-ng.pod
index d409a09..99b79a1 100644
--- a/doc/paxctl-ng.pod
+++ b/doc/paxctl-ng.pod
@@ -68,10 +68,7 @@ B<paxctl-ng> with the B<-d> flag.
=item B<-X> or B<-x> Enable or disable RANDEXEC
-=item
-
-If both enabling and disabling flags are set for one item,
-eg. -Pp for PAGEEXEC, then the default setting '-' is used.
+If both enabling and disabling flags are set for one item, eg. -Pp for PAGEEXEC, then the default setting '-' is used.
=item B<-Z> Set most secure settings (PSMeRx).
diff --git a/doc/revdep-pax.1 b/doc/revdep-pax.1
index ee7cfd5..cb76b52 100644
--- a/doc/revdep-pax.1
+++ b/doc/revdep-pax.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -38,6 +38,8 @@
. ds PI \(*p
. ds L" ``
. ds R" ''
+. ds C`
+. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+. if \nF \{
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
+. if !\nF==2 \{
+. nr % 0
+. nr F 2
+. \}
+. \}
.\}
+.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -124,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "REVDEP-PAX 1"
-.TH REVDEP-PAX 1 "2014-07-30" "elfix 0.9" "Documentation for elfix"
+.TH REVDEP-PAX 1 "2014-10-13" "elfix 0.9" "Documentation for elfix"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -159,44 +168,35 @@ against it. The library can either be specified by its \s-1SONAME\s0 as it is r
by \fBldd\fR(1), or by the full path to the \s-1LIBRARY\s0 file. Symbolic links are
dereferenced. The user can optionally scan for all forward mappings on the
system (\-f), for all reverse mappings (\-r), for forward mappings of just one
-\&\s-1OBJECT\s0 (\-b), for reverse mappings of just one \s-1SONAME\s0 (\-s) or one \s-1LIBRARY\s0 (\-l).
+\&\s-1OBJECT \s0(\-b), for reverse mappings of just one \s-1SONAME \s0(\-s) or one \s-1LIBRARY \s0(\-l).
In verbose mode (\-v), all mappings are reported, not just mismatching ones,
and in mark mode (\-m), the user is prompted whether to proceed with the migration,
so that the PaX flags of the target inherit the flags of the source.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-f\fR Scan the system for all forward mappings." 4
-.IX Item "-f Scan the system for all forward mappings."
+.IX Item "-f Scan the system for all forward mappings."
.PD 0
-.IP "" 4
.IP "\fB\-r\fR Scan the system for all reverse mappings." 4
-.IX Item "-r Scan the system for all reverse mappings."
-.IP "" 4
-.IP "\fB\-b\fR \s-1OBJECT\s0 Retrieve only the forward mappings for this \s-1ELF\s0 \s-1OBJECT\s0." 4
-.IX Item "-b OBJECT Retrieve only the forward mappings for this ELF OBJECT."
-.IP "" 4
-.IP "\fB\-s\fR \s-1SONAME\s0 Retrieve only the reverse mappings for this \s-1SONAME\s0." 4
-.IX Item "-s SONAME Retrieve only the reverse mappings for this SONAME."
-.IP "" 4
-.IP "\fB\-l\fR \s-1LIBRARY\s0 Retrieve only the reverse mappings for this \s-1LIBRARY\s0." 4
-.IX Item "-l LIBRARY Retrieve only the reverse mappings for this LIBRARY."
-.IP "" 4
+.IX Item "-r Scan the system for all reverse mappings."
+.IP "\fB\-b\fR \s-1OBJECT \s0 Retrieve only the forward mappings for this \s-1ELF OBJECT.\s0" 4
+.IX Item "-b OBJECT Retrieve only the forward mappings for this ELF OBJECT."
+.IP "\fB\-s\fR \s-1SONAME \s0 Retrieve only the reverse mappings for this \s-1SONAME.\s0" 4
+.IX Item "-s SONAME Retrieve only the reverse mappings for this SONAME."
+.IP "\fB\-l\fR \s-1LIBRARY\s0 Retrieve only the reverse mappings for this \s-1LIBRARY.\s0" 4
+.IX Item "-l LIBRARY Retrieve only the reverse mappings for this LIBRARY."
.IP "\fB\-v\fR Report all mappings, not just the mismatched ones." 4
-.IX Item "-v Report all mappings, not just the mismatched ones."
-.IP "" 4
+.IX Item "-v Report all mappings, not just the mismatched ones."
.ie n .IP "\fB\-e\fR Limit the markings or report to only those executables in the current shell's $PATH." 4
.el .IP "\fB\-e\fR Limit the markings or report to only those executables in the current shell's \f(CW$PATH\fR." 4
-.IX Item "-e Limit the markings or report to only those executables in the current shell's $PATH."
-.IP "" 4
+.IX Item "-e Limit the markings or report to only those executables in the current shell's $PATH."
.IP "\fB\-m\fR Prompt the user to mark the found object with the PaX flags of the source." 4
-.IX Item "-m Prompt the user to mark the found object with the PaX flags of the source."
-.IP "" 4
-.ie n .IP "\fB\-y\fR Assume ""yes"" to all prompts for marking (\s-1USE\s0 \s-1CAREFULLY\s0!)" 4
-.el .IP "\fB\-y\fR Assume ``yes'' to all prompts for marking (\s-1USE\s0 \s-1CAREFULLY\s0!)" 4
-.IX Item "-y Assume yes to all prompts for marking (USE CAREFULLY!)"
-.IP "" 4
+.IX Item "-m Prompt the user to mark the found object with the PaX flags of the source."
+.ie n .IP "\fB\-y\fR Assume ""yes"" to all prompts for marking (\s-1USE CAREFULLY\s0!)" 4
+.el .IP "\fB\-y\fR Assume ``yes'' to all prompts for marking (\s-1USE CAREFULLY\s0!)" 4
+.IX Item "-y Assume yes to all prompts for marking (USE CAREFULLY!)"
.IP "\fB\-h\fR Print out a short help message and exit." 4
-.IX Item "-h Print out a short help message and exit."
+.IX Item "-h Print out a short help message and exit."
.PD
.SH "HOMEPAGE"
.IX Header "HOMEPAGE"
diff --git a/doc/revdep-pax.pod b/doc/revdep-pax.pod
index b1f6d28..45aa567 100644
--- a/doc/revdep-pax.pod
+++ b/doc/revdep-pax.pod
@@ -42,40 +42,22 @@ so that the PaX flags of the target inherit the flags of the source.
=item B<-f> Scan the system for all forward mappings.
-=item
-
=item B<-r> Scan the system for all reverse mappings.
-=item
-
=item B<-b> OBJECT Retrieve only the forward mappings for this ELF OBJECT.
-=item
-
=item B<-s> SONAME Retrieve only the reverse mappings for this SONAME.
-=item
-
=item B<-l> LIBRARY Retrieve only the reverse mappings for this LIBRARY.
-=item
-
=item B<-v> Report all mappings, not just the mismatched ones.
-=item
-
=item B<-e> Limit the markings or report to only those executables in the current shell's $PATH.
-=item
-
=item B<-m> Prompt the user to mark the found object with the PaX flags of the source.
-=item
-
=item B<-y> Assume "yes" to all prompts for marking (USE CAREFULLY!)
-=item
-
=item B<-h> Print out a short help message and exit.
=back
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: doc/
@ 2023-01-24 3:18 Sam James
0 siblings, 0 replies; 10+ messages in thread
From: Sam James @ 2023-01-24 3:18 UTC (permalink / raw
To: gentoo-commits
commit: 99f433bade5c00a2c2298aa76c7d9a08d8f4dd5c
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Jan 24 03:13:04 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Jan 24 03:13:04 2023 +0000
URL: https://gitweb.gentoo.org/proj/elfix.git/commit/?id=99f433ba
doc: regenerate
Signed-off-by: Sam James <sam <AT> gentoo.org>
doc/paxctl-ng.1 | 12 ++++++------
doc/revdep-pax.1 | 18 +++++++++---------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/doc/paxctl-ng.1 b/doc/paxctl-ng.1
index 72d57cb..6431238 100644
--- a/doc/paxctl-ng.1
+++ b/doc/paxctl-ng.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -46,7 +46,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -56,12 +56,12 @@
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
+.if (\n(rF:(\n(.g==0)) \{\
+. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
+. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PAXCTL-NG 1"
-.TH PAXCTL-NG 1 "2014-10-13" "elfix 0.9" "Documentation for elfix"
+.TH PAXCTL-NG 1 "2023-01-24" "elfix 0.9" "Documentation for elfix"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/doc/revdep-pax.1 b/doc/revdep-pax.1
index cb76b52..121d7e6 100644
--- a/doc/revdep-pax.1
+++ b/doc/revdep-pax.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -46,7 +46,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -56,12 +56,12 @@
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
+.if (\n(rF:(\n(.g==0)) \{\
+. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
+. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "REVDEP-PAX 1"
-.TH REVDEP-PAX 1 "2014-10-13" "elfix 0.9" "Documentation for elfix"
+.TH REVDEP-PAX 1 "2023-01-24" "elfix 0.9" "Documentation for elfix"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -168,7 +168,7 @@ against it. The library can either be specified by its \s-1SONAME\s0 as it is r
by \fBldd\fR(1), or by the full path to the \s-1LIBRARY\s0 file. Symbolic links are
dereferenced. The user can optionally scan for all forward mappings on the
system (\-f), for all reverse mappings (\-r), for forward mappings of just one
-\&\s-1OBJECT \s0(\-b), for reverse mappings of just one \s-1SONAME \s0(\-s) or one \s-1LIBRARY \s0(\-l).
+\&\s-1OBJECT\s0 (\-b), for reverse mappings of just one \s-1SONAME\s0 (\-s) or one \s-1LIBRARY\s0 (\-l).
In verbose mode (\-v), all mappings are reported, not just mismatching ones,
and in mark mode (\-m), the user is prompted whether to proceed with the migration,
so that the PaX flags of the target inherit the flags of the source.
@@ -179,9 +179,9 @@ so that the PaX flags of the target inherit the flags of the source.
.PD 0
.IP "\fB\-r\fR Scan the system for all reverse mappings." 4
.IX Item "-r Scan the system for all reverse mappings."
-.IP "\fB\-b\fR \s-1OBJECT \s0 Retrieve only the forward mappings for this \s-1ELF OBJECT.\s0" 4
+.IP "\fB\-b\fR \s-1OBJECT\s0 Retrieve only the forward mappings for this \s-1ELF OBJECT.\s0" 4
.IX Item "-b OBJECT Retrieve only the forward mappings for this ELF OBJECT."
-.IP "\fB\-s\fR \s-1SONAME \s0 Retrieve only the reverse mappings for this \s-1SONAME.\s0" 4
+.IP "\fB\-s\fR \s-1SONAME\s0 Retrieve only the reverse mappings for this \s-1SONAME.\s0" 4
.IX Item "-s SONAME Retrieve only the reverse mappings for this SONAME."
.IP "\fB\-l\fR \s-1LIBRARY\s0 Retrieve only the reverse mappings for this \s-1LIBRARY.\s0" 4
.IX Item "-l LIBRARY Retrieve only the reverse mappings for this LIBRARY."
^ permalink raw reply related [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-01-24 3:18 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-18 16:01 [gentoo-commits] proj/elfix:master commit in: doc/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2023-01-24 3:18 Sam James
2014-10-13 20:49 Anthony G. Basile
2014-07-30 17:29 Anthony G. Basile
2014-08-19 14:01 ` Anthony G. Basile
2012-11-10 22:22 Anthony G. Basile
2011-10-22 22:14 Anthony G. Basile
2011-09-18 22:58 Anthony G. Basile
2011-09-08 23:40 Anthony G. Basile
2011-09-08 23:10 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox