1 .\"
   2 .\" This file and its contents are supplied under the terms of the
   3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
   4 .\" You may only use this file in accordance with the terms of version
   5 .\" 1.0 of the CDDL.
   6 .\"
   7 .\" A full copy of the text of the CDDL should have accompanied this
   8 .\" source.  A copy of the CDDL is also available via the Internet at
   9 .\" http://www.illumos.org/license/CDDL.
  10 .\"
  11 .TH "SECURITY-FLAGS" "5" "May 5, 2014"
  12 .SH "NAME"
  13 \fBsecurity-flags\fR - process security flags
  14 .SH "DESCRIPTION"
  15 Each process on an illumos system has an associated set of security-flags
  16 which describe additional per-process security and exploit mitigation
  17 features which are enabled for that process.
  18 .P
  19 There are two sets of these flags for each process, the effective set
  20 (abbreviated \fIE\fR) are the set which currently apply to the process and are
  21 immutable. The inheritable set (abbreviated \fII\fR) are the flags which will
  22 become effective the next time the process calls one of the \fBexec(2)\fR
  23 family of functions, and will be inherited as both the effective and
  24 inheritable sets by any child processes. The inheritable set may be changed
  25 at any time, subject to permissions.
  26 .P
  27 To change the security-flags of a process one must have both permissions
  28 equivalent to those required to send a signal to the process and have the
  29 \fBPRIV_PROC_SECFLAGS\fR privilege.
  30 .P
  31 Currently available features are:
  32 
  33 .sp
  34 .ne 2
  35 .na
  36 Address Space Layout Randomisation (ASLR)
  37 .ad
  38 .RS 11n
  39 The base addresses of the stack, heap and shared library (including
  40 \fBld.so\fR) mappings are randomised, the bases of mapped regions other than
  41 those using \fBMAP_FIXED\fR are randomised.
  42 .P
  43 Currently, executable base addresses are \fInot\fR randomised, due to which
  44 the mitigation provided by this feature is currently limited.
  45 .P
  46 This flag may also be enabled by the presence of the \fBDT_SUNW_ASLR\fR
  47 dynamic tag in the \fB.dynamic\fR section of the executable file. If this
  48 tag has a value of 1, ASLR will be enabled. If the flag has a value of
  49 \fB0\fR ASLR will be disabled. If the tag is not present, the value of the
  50 ASLR flag will be inherited as normal.
  51 .RE
  52 
  53 System default security-flags are configured via properties on the
  54 \fBsvc:/system/process-security\fR service, which contains a boolean property
  55 per-flag in the \fBsecflags\fR property group.  For example, to enable ASLR by
  56 default you would execute the following commands:
  57 .sp
  58 .in +2
  59 .nf
  60 # svccfg -s svc:/system/process-security setprop secflags/aslr = true
  61 .fi
  62 .in -2
  63 .sp
  64 .P
  65 This can be done by any user with the \fBsolaris.smf.value.process-security\fR
  66 authorization.
  67 .P
  68 Since security-flags are strictly inherited, this will not take effect until
  69 the system or zone is next booted.
  70 
  71 .SH "SEE ALSO"
  72 .BR psecflags (1),
  73 .BR svccfg (1M),
  74 .BR brk (2),
  75 .BR exec (2),
  76 .BR mmap (2),
  77 .BR mmapobj (2),
  78 .BR privileges (5),
  79 .BR rbac (5)