doc/paxctl-ng.pod: initial draft

6 files changed, 315 insertions, 29 deletions

diff --git a/doc/fix-gnustack.1 b/doc/fix-gnustack.1
index 0b98b51..7602e19 100644
--- a/doc/fix-gnustack.1
+++ b/doc/fix-gnustack.1
@@ -124,29 +124,40 @@
 .\" ========================================================================
 .\"
 .IX Title "FIX-GNUSTACK 1"
-.TH FIX-GNUSTACK 1 "2011-04-14" "elfix 0.1" "Documentation for elfix"
+.TH FIX-GNUSTACK 1 "2011-04-14" "elfix 0.2" "Documentation for elfix"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-fix\-gnustack \- Query or clear the ELF GNU_STACK executable flag
+fix\-gnustack \- query or clear any ELF GNU_STACK executable flag
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
-\&\fBfix-gnustack\fR scans the program headers of \s-1ELF\s0 binaries or shared
-object libraries and reports if a \s-1GNU_STACK\s0 entry is marked both
-writeable and executable.  On PaX hardened kernels where memory
-protection (\s-1MPROTECT\s0) is enforced, execution of binaries with \s-1WX\s0
-\&\s-1GNU_STACKS\s0, or binaries linking against libraries with \s-1WX\s0 \s-1GNU_STACKS\s0,
-is terminated by the kernel.  When \fBfix-gnustack\fR is called without
-the \fB\-f\fR option, it simply reports the \s-1RWX\s0 (read/write/execute)
-flags on any \s-1GNU_STACK\s0 found.  When called with the \fB\-f\fR option,
-it clears the X flag if both W and X are found.
+\&\fBfix-gnustack\fR \-h
+.PP
+\&\fBfix-gnustack\fR [\-f] ELFfile
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBfix-gnustack\fR scans the program headers of an \s-1ELF\s0 binary or shared
+object library and reports if it has a \s-1GNU_STACK\s0 entry and if it is
+marked both writeable and executable.  On PaX hardened kernels where
+memory protection (\s-1MPROTECT\s0) is enforced, execution of binaries with
+\&\s-1WX\s0 marked \s-1GNU_STACKS\s0, or of binaries linking against libraries with
+\&\s-1WX\s0 makred \s-1GNU_STACKS\s0, is terminated by the kernel.  When \fBfix-gnustack\fR
+is called without the \fB\-f\fR option on an ELFfile, it simply reports the
+\&\s-1RWX\s0 (read/write/execute) flags on any \s-1GNU_STACK\s0 entry found.  When called
+with \fB\-f\fR, it clears the X flag if a \s-1GNU_STACK\s0 entry is found and it
+has both W and X flags.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.IP "\fB\-f\fR" 4
-.IX Item "-f"
-Remove the X flag, i.e., \*(L"fix\*(R" the executable.
+.IP "\fB\-h\fR" 4
+.IX Item "-h"
+Print out a short help message and exit.
+.IP "[\fB\-f\fR] ELFfile" 4
+.IX Item "[-f] ELFfile"
+\&\*(L"Fix\*(R" the ELFfile, ie, remove the X flag from any \s-1GNU_STACK\s0 entry found
+if it has both W and X flags.  When called without, it simply reports
+what flags it found.
 .SH "HOMEPAGE"
 .IX Header "HOMEPAGE"
 http://dev.gentoo.org/~blueness/elfix
diff --git a/doc/fix-gnustack.pod b/doc/fix-gnustack.pod
index 3c6f6ba..0a715f6 100644
--- a/doc/fix-gnustack.pod
+++ b/doc/fix-gnustack.pod
@@ -1,26 +1,39 @@
 =head1 NAME
 
-B<fix-gnustack> - Query or clear the ELF GNU_STACK executable flag
+B<fix-gnustack> - query or clear any ELF GNU_STACK executable flag
 
 =head1 SYNOPSIS
 
-B<fix-gnustack> scans the program headers of ELF binaries or shared
-object libraries and reports if a GNU_STACK entry is marked both
-writeable and executable.  On PaX hardened kernels where memory
-protection (MPROTECT) is enforced, execution of binaries with WX
-GNU_STACKS, or binaries linking against libraries with WX GNU_STACKS,
-is terminated by the kernel.  When B<fix-gnustack> is called without
-the B<-f> option, it simply reports the RWX (read/write/execute)
-flags on any GNU_STACK found.  When called with the B<-f> option,
-it clears the X flag if both W and X are found.
+B<fix-gnustack> -h
+
+B<fix-gnustack> [-f] ELFfile
+
+=head1 DESCRIPTION
+
+B<fix-gnustack> scans the program headers of an ELF binary or shared
+object library and reports if it has a GNU_STACK entry and if it is
+marked both writeable and executable.  On PaX hardened kernels where
+memory protection (MPROTECT) is enforced, execution of binaries with
+WX marked GNU_STACKS, or of binaries linking against libraries with
+WX makred GNU_STACKS, is terminated by the kernel.  When B<fix-gnustack>
+is called without the B<-f> option on an ELFfile, it simply reports the
+RWX (read/write/execute) flags on any GNU_STACK entry found.  When called
+with B<-f>, it clears the X flag if a GNU_STACK entry is found and it
+has both W and X flags.
 
 =head1 OPTIONS
 
 =over
 
-=item B<-f>
+=item B<-h>
+
+Print out a short help message and exit.
+
+=item [B<-f>] ELFfile
 
-Remove the X flag, i.e., "fix" the executable.
+"Fix" the ELFfile, ie, remove the X flag from any GNU_STACK entry found
+if it has both W and X flags.  When called without, it simply reports
+what flags it found.
 
 =back
 
diff --git a/doc/make.sh b/doc/make.sh
index fc81032..a42e166 100755
--- a/doc/make.sh
+++ b/doc/make.sh
@@ -8,7 +8,15 @@ rm -f fix-gnustack.1
 pod2man \
  --official \
  --section="1" \
- --release="elfix 0.1" \
+ --release="elfix 0.2" \
  --center="Documentation for elfix" \
  --date="2011-04-14" \
  fix-gnustack.pod > fix-gnustack.1
+
+pod2man \
+ --official \
+ --section="1" \
+ --release="elfix 0.2" \
+ --center="Documentation for elfix" \
+ --date="2011-08-18" \
+ paxctl-ng.pod > paxctl-ng.1
diff --git a/doc/paxctl-ng.1 b/doc/paxctl-ng.1
new file mode 100644
index 0000000..d924e1f
--- /dev/null
+++ b/doc/paxctl-ng.1
@@ -0,0 +1,187 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.el \{\
+.    de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "PAXCTL-NG 1"
+.TH PAXCTL-NG 1 "2011-08-18" "elfix 0.2" "Documentation for elfix"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+paxctl\-ng \- get or consistently set the pax flags for both EI_PAX and PT_PAX
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBpaxctl-ng\fR [\-h]
+.PP
+\&\fBpaxctl-ng\fR [\-PpEeMmRrXxSs] [\-v] \s-1ELF\s0
+.PP
+\&\fBpaxctl-ng\fR \-Z [\-v] \s-1ELF\s0
+.PP
+\&\fBpaxctl-ng\fR \-z [\-v] \s-1ELF\s0
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBpaxctl-ng\fR scans the program headers of \s-1ELF\s0 binaries or shared
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-h\fR   Print out a short help message and exit." 4
+.IX Item "-h   Print out a short help message and exit."
+.PD 0
+.IP "" 4
+.IP "\fB\-P\fR or \fB\-p\fR   Enable or disable \s-1PAGEEXEC\s0" 4
+.IX Item "-P or -p   Enable or disable PAGEEXEC"
+.IP "\fB\-S\fR or \fB\-s\fR   Enable or disable \s-1SEGMEXEC\s0" 4
+.IX Item "-S or -s   Enable or disable SEGMEXEC"
+.IP "\fB\-M\fR or \fB\-m\fR   Enable or disable \s-1MPROTECT\s0" 4
+.IX Item "-M or -m   Enable or disable MPROTECT"
+.IP "\fB\-E\fR or \fB\-e\fR   Enable or disable \s-1EMUTRAMP\s0" 4
+.IX Item "-E or -e   Enable or disable EMUTRAMP"
+.IP "\fB\-R\fR or \fB\-r\fR   Enable or disable \s-1RANDMMAP\s0" 4
+.IX Item "-R or -r   Enable or disable RANDMMAP"
+.IP "\fB\-X\fR or \fB\-x\fR   Enable or disable \s-1RANDEXEC\s0" 4
+.IX Item "-X or -x   Enable or disable RANDEXEC"
+.PD
+If both enabling and disabling flags are set for one item, 
+eg. \-Pp for \s-1PAGEEXEC\s0, then the default setting \- is used is
+for \s-1PT_PAX\s0, while the most secure setting is used for \s-1EI_PAX\s0.
+.IP "\fB\-Z\fR Enable most secure settings (PSMeRX)" 4
+.IX Item "-Z Enable most secure settings (PSMeRX)"
+.PD 0
+.IP "\fB\-z\fR Enable default setting (\s-1PT_PAX\s0) or most secure setting (\s-1EI_PAX\s0)" 4
+.IX Item "-z Enable default setting (PT_PAX) or most secure setting (EI_PAX)"
+.IP "\fB\-v\fR View the flags" 4
+.IX Item "-v View the flags"
+.PD
+.SH "HOMEPAGE"
+.IX Header "HOMEPAGE"
+http://dev.gentoo.org/~blueness/elfix
+.SH "REPORTING BUGS"
+.IX Header "REPORTING BUGS"
+Please report bugs at http://bugs.gentoo.org.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBscanelf\fR(1), \fBdumpelf\fR(1), \fBpaxctl\fR(1), \fBpspax\fR(1), \fBfix-gnustack\fR(1).
+.SH "AUTHORS"
+.IX Header "AUTHORS"
+\&\fBAnthony G. Basile\fR <blueness@gentoo.org>
diff --git a/doc/paxctl-ng.pod b/doc/paxctl-ng.pod
new file mode 100644
index 0000000..db809ab
--- /dev/null
+++ b/doc/paxctl-ng.pod
@@ -0,0 +1,67 @@
+=head1 NAME
+
+B<paxctl-ng> - get or consistently set the pax flags for both EI_PAX and PT_PAX
+
+=head1 SYNOPSIS
+
+B<paxctl-ng> [-h]
+
+B<paxctl-ng> [-PpEeMmRrXxSs] [-v] ELF
+
+B<paxctl-ng> -Z [-v] ELF
+
+B<paxctl-ng> -z [-v] ELF
+
+=head1 DESCRIPTION
+
+B<paxctl-ng> scans the program headers of ELF binaries or shared
+
+=head1 OPTIONS
+
+=over
+
+=item B<-h>   Print out a short help message and exit.
+
+=item
+
+=item B<-P> or B<-p>   Enable or disable PAGEEXEC
+
+=item B<-S> or B<-s>   Enable or disable SEGMEXEC
+
+=item B<-M> or B<-m>   Enable or disable MPROTECT
+
+=item B<-E> or B<-e>   Enable or disable EMUTRAMP
+
+=item B<-R> or B<-r>   Enable or disable RANDMMAP
+
+=item B<-X> or B<-x>   Enable or disable RANDEXEC
+
+If both enabling and disabling flags are set for one item, 
+eg. -Pp for PAGEEXEC, then the default setting - is used is
+for PT_PAX, while the most secure setting is used for EI_PAX. 
+
+=item B<-Z> Enable most secure settings (PSMeRX)
+
+=item B<-z> Enable default setting (PT_PAX) or most secure setting (EI_PAX)
+
+=item B<-v> View the flags
+
+
+
+=back
+
+=head1 HOMEPAGE
+
+http://dev.gentoo.org/~blueness/elfix
+
+=head1 REPORTING BUGS
+
+Please report bugs at http://bugs.gentoo.org.
+
+=head1 SEE ALSO
+
+B<scanelf>(1), B<dumpelf>(1), B<paxctl>(1), B<pspax>(1), B<fix-gnustack>(1).
+
+=head1 AUTHORS
+
+B<Anthony G. Basile> <blueness@gentoo.org>
diff --git a/src/fix-gnustack.c b/src/fix-gnustack.c
index 2ef1a5d..6ca7d5b 100644
--- a/src/fix-gnustack.c
+++ b/src/fix-gnustack.c
@@ -40,7 +40,7 @@ print_help(char *v)
 		"Bug Reports  : " PACKAGE_BUGREPORT "\n"
 		"Program Name : %s\n"
 		"Description  : Check for, or conditionally remove, executable flag from PT_GNU_STACK\n\n"
-		"Usage        : %s {[-f] ELFfile | [-h]}\n"
+		"Usage        : %s {[-f] ELF | [-h]}\n"
 		"options      :     Print out protection flags on PT_GNU_STACK\n"
 		"             : -f  Remove X if WX flags are set on PT_GNU_STACK\n"
 		"             : -h  Print out this help\n",
@@ -58,7 +58,7 @@ parse_cmd_args( int c, char *v[], int *flagv  )
 	int i, oc;
 
 	if((c != 2)&&(c != 3))
-		error(EXIT_FAILURE, 0, "Usage: %s {-h | [-f] ELFfile}", v[0]);
+		error(EXIT_FAILURE, 0, "Usage: %s {-h | [-f] ELF}", v[0]);
 
 	*flagv = 0 ;
 	while((oc = getopt(c, v,":fh")) != -1)