1 '\" te
   2 .\" This file and its contents are supplied under the terms of the
   3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
   4 .\" You may only use this file in accordance with the terms of version
   5 .\" 1.0 of the CDDL.
   6 .\"
   7 .\" A full copy of the text of the CDDL should have accompanied this
   8 .\" source.  A copy of the CDDL is also available via the Internet at
   9 .\" http://www.illumos.org/license/CDDL.
  10 .\"
  11 .\" Copyright 2015, Richard Lowe.
  12 .\"
  13 .TH "PSECFLAGS" "1" "June 6, 2016"
  14 .SH "NAME"
  15 \fBpsecflags\fR - inspect or modify process security flags
  16 .SH "SYNOPSIS"
  17 .LP
  18 .nf
  19 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR \
  20 [\fIarg\fR]...
  21 .fi
  22 .LP
  23 .nf
  24 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR] \
  25 \fIid\fR ...
  26 .fi
  27 .LP
  28 .nf
  29 \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
  30 .fi
  31 .LP
  32 .nf
  33 \fB/usr/bin/psecflags\fR \fI-l\fR
  34 .fi
  35 
  36 .SH "DESCRIPTION"
  37 The first invocation of the \fBpsecflags\fR command runs the specified
  38 \fIcommand\fR with the security-flags modified as described by the \fI-s\fR
  39 argument.
  40 .P
  41 The second invocation modifies the security-flags of the processes described
  42 by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
  43 .P
  44 The third invocation describes the security-flags of the specified processes
  45 or core files.  The effective set is signified by '\fBE\fR', the inheritable
  46 set by '\fBI\fR', the lower set by '\fBL\fR', and the upper set by '\fBU\fR'.
  47 .P
  48 The fourth invocation lists the supported process security-flags, documented
  49 in \fBsecurity-flags\fR(5).
  50 
  51 .SH "OPTIONS"
  52 The following options are supported:
  53 .sp
  54 .ne 2
  55 .na
  56 \fB-e\fR
  57 .ad
  58 .RS 11n
  59 Interpret the remaining arguments as a command line and run the command with
  60 the security-flags specified with the \fI-s\fR flag.
  61 .RE
  62 
  63 .sp
  64 .ne 2
  65 .na
  66 \fB-F\fR
  67 .ad
  68 .RS 11n
  69 Force. Grab the target process even if another process has control.
  70 .RE
  71 
  72 .sp
  73 .ne 2
  74 .na
  75 \fB-i\fR \fIidtype\fR
  76 .ad
  77 .RS 11n
  78 This option, together with the \fIid\fR arguments specify one or more
  79 processes whose security-flags will be modified. The interpretation of the
  80 \fIid\fR arguments is based on \fIidtype\fR. If \fIidtype\fR is omitted the
  81 default is \fBpid\fR.
  82 
  83 Valid \fIidtype\fR options are:
  84 .sp
  85 .ne 2
  86 .na
  87 \fBall\fR
  88 .ad
  89 .RS 11n
  90 The \fBpsecflags\fR command applies to all processes
  91 .RE
  92 
  93 .sp
  94 .ne 2
  95 .na
  96 \fBcontract\fR, \fBctid\fR
  97 .ad
  98 .RS 11n
  99 The security-flags of any process with a contract ID matching the \fIid\fR
 100 arguments are modified.
 101 .RE
 102 
 103 .sp
 104 .ne 2
 105 .na
 106 \fBgroup\fR, \fBgid\fR
 107 .ad
 108 .RS 11n
 109 The security-flags of any process with a group ID matching the \fIid\fR
 110 arguments are modified.
 111 .RE
 112 
 113 .sp
 114 .ne 2
 115 .na
 116 \fBpid\fR
 117 .ad
 118 .RS 11n
 119 The security-flags of any process with a process ID matching the \fIid\fR
 120 arguments are modified. This is the default.
 121 .RE
 122 
 123 .sp
 124 .ne 2
 125 .na
 126 \fBppid\fR
 127 .ad
 128 .RS 11n
 129 The security-flags of any processes whose parent process ID matches the
 130 \fIid\fR arguments are modified.
 131 .RE
 132 
 133 .sp
 134 .ne 2
 135 .na
 136 \fBproject\fR, \fBprojid\fR
 137 .ad
 138 .RS 11n
 139 The security-flags of any process whose project ID matches the \fIid\fR
 140 arguments are modified.
 141 .RE
 142 
 143 .sp
 144 .ne 2
 145 .na
 146 \fBsession\fR, \fBsid\fR
 147 .ad
 148 .RS 11n
 149 The security-flags of any process whose session ID matches the \fIid\fR
 150 arguments are modified.
 151 .RE
 152 
 153 .sp
 154 .ne 2
 155 .na
 156 \fBtaskid\fR
 157 .ad
 158 .RS 11n
 159 The security-flags of any process whose task ID matches the \fIid\fR arguments
 160 are modified.
 161 .RE
 162 
 163 .sp
 164 .ne 2
 165 .na
 166 \fBuser\fR, \fBuid\fR
 167 .ad
 168 .RS 11n
 169 The security-flags of any process belonging to the users matching the \fIid\fR
 170 arguments are modified.
 171 .RE
 172 
 173 .sp
 174 .ne 2
 175 .na
 176 \fBzone\fR, \fBzoneid\fR
 177 .ad
 178 .RS 11n
 179 The security-flags of any process running in the zones matching the given
 180 \fIid\fR arguments are modified.
 181 .RE
 182 .RE
 183 
 184 .sp
 185 .ne 2
 186 .na
 187 \fB-l\fR
 188 .ad
 189 .RS 11n
 190 List all supported process security-flags, described in
 191 \fBsecurity-flags\fR(5).
 192 .RE
 193 
 194 .sp
 195 .ne 2
 196 .na
 197 \fB-s\fR \fIspecification\fR
 198 .ad
 199 .RS 11n
 200 Modify the process security-flags according to
 201 \fIspecification\fR. Specifications take the form of a comma-separated list of
 202 flags, optionally preceded by a '-' or '!'. Where '-' and '!' indicate that the
 203 given flag should be removed from the specification.  The pseudo-flags "all",
 204 "none" and "current" are supported, to indicate that all flags, no flags, or
 205 the current set of flags (respectively) are to be included.
 206 .P
 207 By default, the inheritable flags are changed.  You may optionally specify the
 208 set to change using their single-letter identifiers and an equals sign.
 209 .P
 210 For a list of valid security-flags, see \fBpsecflags -l\fR.
 211 .RE
 212 
 213 .SH "EXAMPLES"
 214 .LP
 215 \fBExample 1\fR Display the security-flags of the current shell.
 216 .sp
 217 .in +2
 218 .nf
 219 example$ \fBpsecflags $$\fR
 220 100718: -sh
 221         E:      aslr
 222         I:      aslr
 223         L:      none
 224         U:      aslr,forbidnullmap,noexecstack
 225 .fi
 226 .in -2
 227 .sp
 228 
 229 .LP
 230 \fBExample 2\fR Run a user command with ASLR enabled in addition to any
 231 inherited security flags.
 232 .sp
 233 .in +2
 234 .nf
 235 example$ \fBpsecflags -s current,aslr -e /bin/sh\fR
 236 $ psecflags $$
 237 100724: -sh
 238         E:      none
 239         I:      aslr
 240         L:      none
 241         U:      aslr,forbidnullmap,noexecstack
 242 .fi
 243 .in -2
 244 .sp
 245 
 246 .LP
 247 \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
 248 .sp
 249 .in +2
 250 .nf
 251 example# \fBpsecflags -s current,-aslr -i uid bob\fR
 252 .fi
 253 .in -2
 254 
 255 .LP
 256 \fBExample 4\fR Add the aslr flag to the lower set, so that all future
 257 child processes must have this flag set.
 258 .sp
 259 .in +2
 260 .nf
 261 example# \fBpsecflags -s L=current,aslr $$\fR
 262 .fi
 263 .in -2
 264 
 265 .SH "EXIT STATUS"
 266 The following exit values are returned:
 267 
 268 .TP
 269 \fB0\fR
 270 .IP
 271 Success.
 272 
 273 .TP
 274 \fBnon-zero\fR
 275 .IP
 276 An error has occured.
 277 
 278 .SH "ATTRIBUTES"
 279 .LP
 280 See \fBattributes\fR(5) for descriptions of the following attributes:
 281 .sp
 282 
 283 .sp
 284 .TS
 285 box;
 286 c | c
 287 l | l .
 288 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 289 _
 290 Interface Stability     Volatile
 291 .TE
 292 
 293 .SH "SEE ALSO"
 294 .BR exec (2),
 295 .BR attributes (5),
 296 .BR contract (4),
 297 .BR security-flags (5),
 298 .BR zones (5)