- Controlling PaX Flags
- 控制可执行文件的 PaX 标记
- Displaying Program Capabilities
grep -e PAX_MPROTECT= -e GRKERNSEC= /boot/config-hardened
grep -e GRKERNSEC_CHROOT /boot/config-hardened
apk add paxctl
# gradm grsecurity RBAC administration and policy analysis utility
apk add gradm
sysctl -w kernel.pax.softmode=1 echo 'kernel.pax.softmode=1' >> /etc/sysctl.conf
use of CAP_SYS_ADMIN in chroot denied
sysctl -w kernel.grsecurity.chroot_caps=0 sysctl -w kernel.grsecurity.chroot_deny_mount=0
PAX_MPROTECT Enabling this option will prevent programs from
- changing the executable status of memory pages that were not originally created as executable,
- making read-only executable pages writable again,
- creating executable pages from anonymous memory,
- making read-only-after-relocations (RELRO) data pages writable again.
You should say Y here to complete the protection provided by the enforcement of non-executable pages.
NOTE: you can use the 'chpax' or 'paxctl' utilities to control this feature on a per file basis.
PAX_SOFTMODE Enabling this option will allow you to run PaX in soft mode, that is, PaX features will not be enforced by default, only on executables marked explicitly. You must also enable PT_PAX_FLAGS or XATTR_PAX_FLAGS support as they are the only way to mark executables for soft mode use.
Soft mode can be activated by using the "pax_softmode=1" kernel command line option on boot. Furthermore you can control various PaX features at runtime via the entries in /proc/sys/kernel/pax.