Print this page
Code review comments from jeffpc
   1 '\" te
   2 .\" This file and its contents are supplied under the terms of the
   3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
   4 .\" You may only use this file in accordance with the terms of version
   5 .\" 1.0 of the CDDL.
   6 .\"
   7 .\" A full copy of the text of the CDDL should have accompanied this
   8 .\" source.  A copy of the CDDL is also available via the Internet at
   9 .\" http://www.illumos.org/license/CDDL.
  10 .\"
  11 .\" Copyright 2015, Richard Lowe.
  12 .\"
  13 .TH "PSECFLAGS" "1" "May 3, 2014"
  14 .SH "NAME"
  15 \fBpsecflags\fR - inspect or modify process security flags
  16 .SH "SYNOPSIS"
  17 .LP
  18 .nf
  19 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR
  20         [\fIarg\fR]...
  21 .fi
  22 .LP
  23 .nf
  24 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR]
  25         \fIid\fR ...
  26 .fi
  27 .LP
  28 .nf
  29 \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
  30 .fi
  31 .LP
  32 .nf
  33 \fB/usr/bin/psecflags\fR \fI-l\fR
  34 .fi
  35 
  36 .SH "DESCRIPTION"
  37 The first invocation of the \fBpsecflags\fR command runs the specified
  38 \fIcommand\fR with the security-flags modified as described by the \fI-s\fR
  39 argument.
  40 .P
  41 The second invocation modifies the security-flags of the processes described
  42 by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
  43 .P
  44 The third invocation describes the security-flags of the specified processes
  45 or core files.  The effective set is signified by '\fBE\fR', the inheritable


 204 "none" and "current" are supported, to indicate that all flags, no flags, or
 205 the current set of flags (respectively) are to be included.
 206 .P
 207 By default, the inheritable flags are changed.  You may optionally specify the
 208 set to change using their single-letter identifiers and an equals sign.
 209 .P
 210 For a list of valid security-flags, see \fBpsecflags -l\fR.
 211 .RE
 212 
 213 .SH "EXAMPLES"
 214 .LP
 215 \fBExample 1\fR Display the security-flags of the current shell.
 216 .sp
 217 .in +2
 218 .nf
 219 example$ \fBpsecflags $$\fR
 220 100718: -sh
 221         E:      aslr
 222         I:      aslr
 223         L:      none
 224         U:      aslr, forbidnullmap, noexecstack
 225 .fi
 226 .in -2
 227 .sp
 228 
 229 .LP
 230 \fBExample 2\fR Run a user command with ASLR enabled in addition to any
 231 inherited security flags.
 232 .sp
 233 .in +2
 234 .nf
 235 example$ \fBpsecflags -s current,aslr -e /bin/sh\fR
 236 $ psecflags $$
 237 100724: -sh
 238         E:      none
 239         I:      aslr
 240         L:      none
 241         U:      aslr, forbidnullmap, noexecstack
 242 .fi
 243 .in -2
 244 .sp
 245 
 246 .LP
 247 \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
 248 .sp
 249 .in +2
 250 .nf
 251 example# \fBpsecflags -s current,-aslr -i uid bob\fR
 252 .fi
 253 .in -2
 254 
 255 .LP
 256 \fBExample 4\fR Add the aslr flag to the lower set, so that all future
 257 child processes must have this flag set.
 258 .sp
 259 .in +2
 260 .nf
 261 example# \fBpsecflags -s L=current,aslr $$\fR


   1 '\" te
   2 .\" This file and its contents are supplied under the terms of the
   3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
   4 .\" You may only use this file in accordance with the terms of version
   5 .\" 1.0 of the CDDL.
   6 .\"
   7 .\" A full copy of the text of the CDDL should have accompanied this
   8 .\" source.  A copy of the CDDL is also available via the Internet at
   9 .\" http://www.illumos.org/license/CDDL.
  10 .\"
  11 .\" Copyright 2015, Richard Lowe.
  12 .\"
  13 .TH "PSECFLAGS" "1" "June 6, 2016"
  14 .SH "NAME"
  15 \fBpsecflags\fR - inspect or modify process security flags
  16 .SH "SYNOPSIS"
  17 .LP
  18 .nf
  19 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR \
  20 [\fIarg\fR]...
  21 .fi
  22 .LP
  23 .nf
  24 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR] \
  25 \fIid\fR ...
  26 .fi
  27 .LP
  28 .nf
  29 \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
  30 .fi
  31 .LP
  32 .nf
  33 \fB/usr/bin/psecflags\fR \fI-l\fR
  34 .fi
  35 
  36 .SH "DESCRIPTION"
  37 The first invocation of the \fBpsecflags\fR command runs the specified
  38 \fIcommand\fR with the security-flags modified as described by the \fI-s\fR
  39 argument.
  40 .P
  41 The second invocation modifies the security-flags of the processes described
  42 by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
  43 .P
  44 The third invocation describes the security-flags of the specified processes
  45 or core files.  The effective set is signified by '\fBE\fR', the inheritable


 204 "none" and "current" are supported, to indicate that all flags, no flags, or
 205 the current set of flags (respectively) are to be included.
 206 .P
 207 By default, the inheritable flags are changed.  You may optionally specify the
 208 set to change using their single-letter identifiers and an equals sign.
 209 .P
 210 For a list of valid security-flags, see \fBpsecflags -l\fR.
 211 .RE
 212 
 213 .SH "EXAMPLES"
 214 .LP
 215 \fBExample 1\fR Display the security-flags of the current shell.
 216 .sp
 217 .in +2
 218 .nf
 219 example$ \fBpsecflags $$\fR
 220 100718: -sh
 221         E:      aslr
 222         I:      aslr
 223         L:      none
 224         U:      aslr,forbidnullmap,noexecstack
 225 .fi
 226 .in -2
 227 .sp
 228 
 229 .LP
 230 \fBExample 2\fR Run a user command with ASLR enabled in addition to any
 231 inherited security flags.
 232 .sp
 233 .in +2
 234 .nf
 235 example$ \fBpsecflags -s current,aslr -e /bin/sh\fR
 236 $ psecflags $$
 237 100724: -sh
 238         E:      none
 239         I:      aslr
 240         L:      none
 241         U:      aslr,forbidnullmap,noexecstack
 242 .fi
 243 .in -2
 244 .sp
 245 
 246 .LP
 247 \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
 248 .sp
 249 .in +2
 250 .nf
 251 example# \fBpsecflags -s current,-aslr -i uid bob\fR
 252 .fi
 253 .in -2
 254 
 255 .LP
 256 \fBExample 4\fR Add the aslr flag to the lower set, so that all future
 257 child processes must have this flag set.
 258 .sp
 259 .in +2
 260 .nf
 261 example# \fBpsecflags -s L=current,aslr $$\fR