[grsec] what the difference of "EI_PAX" & "PT_PAX_FLAGS"

pageexec at freemail.hu pageexec at freemail.hu
Sat Feb 12 20:56:17 EST 2005

> I hvae some deceptiveness about EI_PAX and PT_PAX_FLAGS:
> what is, how to implement, and difference?

these two terms refer to two ways of marking ELF files for use
under PaX, in particular, these markings encode information that
lets one specify what kind of PaX restrictions have to be applied
to the given executable (i use 'executable' as 'the app that you
pass to execve()', it doesn't mean ET_EXEC ELF files alone, the
ET_DYN/PIE kind is covered as well).

the EI_PAX marking reuses a reserved area of the ELF header itself,
therefore it always exists in any ELF file, you don't have to add
it yourself. the default value of these bits is all 0s, and the
ELF header parser in PaX interprets that as PSMRex. chpax can be
used to flip these bits as necessary. since this method abuses a
reserved area, it has been abandoned for a better approach.

the PT_PAX_FLAGS marking is a new ELF program header type (you can
list them via 'readelf -l') and therefore it has to be explicitly
added by the toolchain ('ld' in particular). since this program
header is specific to PaX, the mainline binutils doesn't emit it,
you have to use a patched binutils and create (link) your executables
with it. in theory it's also possible to add it later or convert
another program header to PT_PAX_FLAGS, maybe i'll add that capability
to paxctl. note that chpax knows about only EI_PAX and paxctl knows
about PT_PAX_FLAGS but not EI_PAX (this was an intentional choice,
but you have the source and can hack it of course). the patched
binutils creates the 'ex' flag state by default, that is, EMUTRAMP
and RANDEXEC are explicitly disabled, the other flags have their
default meaning based on the softmode setting of your kernel.

More information about the grsecurity mailing list