diff options
Diffstat (limited to 'kernels/pax-flags-libre/pax-flags-libre.8')
| -rw-r--r-- | kernels/pax-flags-libre/pax-flags-libre.8 | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/kernels/pax-flags-libre/pax-flags-libre.8 b/kernels/pax-flags-libre/pax-flags-libre.8 new file mode 100644 index 000000000..f27ae82f8 --- /dev/null +++ b/kernels/pax-flags-libre/pax-flags-libre.8 @@ -0,0 +1,112 @@ +.TH pax-flags-libre 8 "" 2013-02-18 +.SH NAME +\fBpax-flags-libre\fR \- Configure PaX flags for several binaries +.SH SYNOPSIS +\fBpax-flags-libre\fR [options] [filter] +.SH DESCRIPTION +\fBpax-flags-libre\fR is written to configure PaX flags for a set of binaries. +It is intended to ease the usage of PaX (linux-libre-pax) or grsecurity (linux-libre-grsec, +linux-libre-grsec-lts) enabled kernel on Parabola GNU/Linux-libre. +.P +PaX flags for a set of binaries are collected in YAML format configuration +files. By default, every .conf file from /etc/pax-flags and +/usr/share/pax-flags-libre is read. See the CONFIGURATION section for the file +format. +.P +Root privileges are needed. If you set a value to $PAX_FLAGS_SUDO, +\fBpax-flags-libre\fR will be called with sudo. +.SH OPTIONS +.TP +\-c, \-\-config <path> +Override default configuration paths. Requires one path argument. Can contain +globs (escape them in some shells (zsh for example)). +.TP +\-h, \-\-help +Displays a short usage message and option summary. +.TP +\-p, \-\-prepend +Do not actually change anything. +.TP +\-x, \-\-xattr +Sets the PaX flags through setfattr, underlying filesystems need xattr support. +.TP +\-y, \-\-yes +Non-interactive mode. Assume yes on any question. +.SH FILES +.TP +/etc/pax-flags/*.conf +Files for overriding the standard flag set and path pattern configuration. +.TP +/usr/share/pax-flags-libre/*.conf +The shipped configuration. +.SH CONFIGURATION +There are \fBsimple\fR configuration entries and \fBcomplex\fR ones. Complex +configuration for a certain flag set and path pattern overrides simple. To +override a simple entry with a complex one, the flag sets and path patterns have +to match exactly. +.SS "Simple entries" +Simple configuration entries just set the PaX flags for a set of binaries. The +format is as follows: +.P +PSmXER: +.br + \- /usr/bin/ruby + \- /usr/bin/glx* +.P +\fBPSmXER\fR is the set of flags. Every letter represents a PaX flag. Uppercase +enables the flag, lowercase disables it. See paxctl(1) for more details. This +example disables MPROTECT on /usr/bin/ruby and /usr/bin/glx*. +.SS "Complex entries" +With complex entries it is possible to stop a daemon before setting the flags +and starting it afterwards. The format is as follows: +.P +PSmXER: +.br + \- /usr/sbin/clamd: + type: systemd +.P +This would stop clamd, disable MPROTECT for the binary and start the daemon +again. The \fBtype\fR option values correspond to presets of status, start, stop +actions. Currently there exists only "systemd". By default the systemd unit file +would be "clamd" in this case or the basename of the path in general. +.P +PSmXEr: +.br + \- /usr/lib/polkit-1/polkitd: + type: systemd + systemd_name: polkit +.P +The \fBsystemd_name\fR option can be used to configure a differing systemd unit +name. +.P +PSmXEr: +.br + \- /usr/lib/iceweasel/iceweasel: + status: "pidof iceweasel" + start: "iceweasel &" + stop: "killall iceweasel" +.P +This would configure custom actions for \fBstatus\fR, \fBstart\fR and +\fBstop\fR. +.P +PSmXER: +.br + \- /usr/bin/ruby: + skip: true +.P +This would override a simple entry for the same flag set and path pattern and +cause it to be skipped. +.P +PSmXER: +.br + \- /usr/lib32/somebinary: + header: create +.P +This would cause paxctl to not convert the old binary header, but create a new +one. See paxctl(1) for more details. +.SH AUTHOR +henning mueller <henning@orgizm.net> +.SH SEE ALSO +\- paxctl(1) +.br +\- http://www.yaml.org |