search

nning / linux-pax-flags

Deactivates PaX flags for several binaries to work with PaX enabled kernels.
7 stars 6 forks source link

readme

linux-pax-flags(8) System Manager's Manual linux-pax-flags(8)

NAME linux-pax-flags - Configure PaX flags for several binaries

SYNOPSIS linux-pax-flags [options] [filter]

DESCRIPTION linux-pax-flags is written to configure PaX flags for a set of bina‐ ries. It is intended to ease the usage of PaX (linux-pax) or grsecu‐ rity (linux-grsec, linux-grsec-lts) enabled kernel on Arch Linux.

   PaX flags for a set of binaries are collected in YAML format configura‐
   tion files. By  default,  every  .conf  file  from  /etc/pax-flags  and
   /usr/share/linux-pax-flags  is  read. See the CONFIGURATION section for
   the file format.

   Root privileges are needed. If you  set  a  value  to  $PAX_FLAGS_SUDO,
   linux-pax-flags will be called with sudo.

OPTIONS -c, --config Override default configuration paths. Requires one path argu‐ ment. Can contain globs (escape them in some shells (zsh for example)).

   -h, --help
          Displays a short usage message and option summary.

   -p, --prepend
          Do not actually change anything.

   -x, --xattr
          Sets the PaX flags through setfattr, underlying filesystems need
          xattr support.

   -y, --yes
          Non-interactive mode. Assume yes on any question.

FILES /etc/pax-flags/*.conf Files for overriding the standard flag set and path pattern con‐ figuration.

   /usr/share/linux-pax-flags/*.conf
          The shipped configuration.

CONFIGURATION There are simple configuration entries and complex ones. Complex con‐ figuration for a certain flag set and path pattern overrides simple. To override a simple entry with a complex one, the flag sets and path pat‐ terns have to match exactly.

Simple entries Simple configuration entries just set the PaX flags for a set of bina‐ ries. The format is as follows:

   PSmXER:
     - /usr/bin/ruby
     - /usr/bin/glx*

   PSmXER  is the set of flags. Every letter represents a PaX flag. Upper‐
   case enables the flag, lowercase disables it. See  paxctl(1)  for  more
   details.   This   example   disables   MPROTECT  on  /usr/bin/ruby  and
   /usr/bin/glx*.

Complex entries With complex entries it is possible to stop a daemon before setting the flags and starting it afterwards. The format is as follows:

   PSmXER:
     - /usr/sbin/clamd:
       type: systemd

   This  would  stop  clamd, disable MPROTECT for the binary and start the
   daemon again. The type option values correspond to presets  of  status,
   start,  stop actions. Currently there exists only "systemd". By default
   the systemd unit file would be "clamd" in this case or the basename  of
   the path in general.

   PSmXEr:
     - /usr/lib/polkit-1/polkitd:
       type: systemd
       systemd_name: polkit

   The  systemd_name  option  can be used to configure a differing systemd
   unit name.

   PSmXEr:
     - /usr/lib/firefox/firefox:
       status: "pidof firefox"
       start: "firefox &"
       stop: "killall firefox"

   This would configure custom actions for status, start and stop.

   PSmXER:
     - /usr/bin/ruby:
       skip: true

   This would override a simple entry for the same flag set and path  pat‐
   tern and cause it to be skipped.

   PSmXER:
     - /usr/lib32/skype/skype:
       header: create

   This  would cause paxctl to not convert the old binary header, but cre‐
   ate a new one. See paxctl(1) for more details.

AUTHOR henning mueller henning@orgizm.net

SEE ALSO

2013-02-18 linux-pax-flags(8)