1 PSECFLAGS(1)                     User Commands                    PSECFLAGS(1)
   2 
   3 
   4 
   5 NAME
   6        psecflags - inspect or modify process security flags
   7 
   8 SYNOPSIS
   9        /usr/bin/psecflags -s spec -e command
  10             [arg]...
  11 
  12        /usr/bin/psecflags -s spec [-i idtype]
  13             id ...
  14 
  15        /usr/bin/psecflags [-F] { pid | core }
  16 
  17        /usr/bin/psecflags -l
  18 
  19 
  20 DESCRIPTION
  21        The first invocation of the psecflags command runs the specified
  22        command with the security-flags modified as described by the -s
  23        argument.
  24 
  25        The second invocation modifies the security-flags of the processes
  26        described by idtype and id according as described by the -s argument.
  27 
  28        The third invocation describes the security-flags of the specified
  29        processes or core files.  The effective set is signified by 'E', the
  30        inheritable set by 'I', the lower set by 'L', and the upper set by 'U'.
  31 
  32        The fourth invocation lists the supported process security-flags,
  33        documented in security-flags(5).
  34 
  35 
  36 OPTIONS
  37        The following options are supported:
  38 
  39        -e
  40                   Interpret the remaining arguments as a command line and run
  41                   the command with the security-flags specified with the -s
  42                   flag.
  43 
  44 
  45        -F
  46                   Force. Grab the target process even if another process has
  47                   control.
  48 
  49 
  50        -i idtype
  51                   This option, together with the id arguments specify one or
  52                   more processes whose security-flags will be modified. The
  53                   interpretation of the id arguments is based on idtype. If
  54                   idtype is omitted the default is pid.
  55 
  56                   Valid idtype options are:
  57 
  58                   all
  59                              The psecflags command applies to all processes
  60 
  61 
  62                   contract, ctid
  63                              The security-flags of any process with a contract
  64                              ID matching the id arguments are modified.
  65 
  66 
  67                   group, gid
  68                              The security-flags of any process with a group ID
  69                              matching the id arguments are modified.
  70 
  71 
  72                   pid
  73                              The security-flags of any process with a process
  74                              ID matching the id arguments are modified. This
  75                              is the default.
  76 
  77 
  78                   ppid
  79                              The security-flags of any processes whose parent
  80                              process ID matches the id arguments are modified.
  81 
  82 
  83                   project, projid
  84                              The security-flags of any process whose project
  85                              ID matches the id arguments are modified.
  86 
  87 
  88                   session, sid
  89                              The security-flags of any process whose session
  90                              ID matches the id arguments are modified.
  91 
  92 
  93                   taskid
  94                              The security-flags of any process whose task ID
  95                              matches the id arguments are modified.
  96 
  97 
  98                   user, uid
  99                              The security-flags of any process belonging to
 100                              the users matching the id arguments are modified.
 101 
 102 
 103                   zone, zoneid
 104                              The security-flags of any process running in the
 105                              zones matching the given id arguments are
 106                              modified.
 107 
 108 
 109        -l
 110                   List all supported process security-flags, described in
 111                   security-flags(5).
 112 
 113 
 114        -s specification
 115                   Modify the process security-flags according to
 116                   specification. Specifications take the form of a comma-
 117                   separated list of flags, optionally preceded by a '-' or
 118                   '!'. Where '-' and '!' indicate that the given flag should
 119                   be removed from the specification.  The pseudo-flags "all",
 120                   "none" and "current" are supported, to indicate that all
 121                   flags, no flags, or the current set of flags (respectively)
 122                   are to be included.
 123 
 124                   By default, the inheritable flags are changed.  You may
 125                   optionally specify the set to change using their single-
 126                   letter identifiers and an equals sign.
 127 
 128                   For a list of valid security-flags, see psecflags -l.
 129 
 130 
 131 EXAMPLES
 132        Example 1 Display the security-flags of the current shell.
 133 
 134          example$ psecflags $$
 135          100718:   -sh
 136               E:   aslr
 137               I:   aslr
 138                  L:     none
 139                  U:     aslr, forbidnullmap, noexecstack
 140 
 141 
 142 
 143        Example 2 Run a user command with ASLR enabled in addition to any
 144        inherited security flags.
 145 
 146          example$ psecflags -s current,aslr -e /bin/sh
 147          $ psecflags $$
 148          100724:   -sh
 149               E:   none
 150               I:   aslr
 151                  L:     none
 152                  U:     aslr, forbidnullmap, noexecstack
 153 
 154 
 155 
 156        Example 3 Remove aslr from the inheritable flags of all Bob's
 157        processes.
 158 
 159          example# psecflags -s current,-aslr -i uid bob
 160 
 161 
 162        Example 4 Add the aslr flag to the lower set, so that all future child
 163        processes must have this flag set.
 164 
 165          example# psecflags -s L=current,aslr $$
 166 
 167 
 168 EXIT STATUS
 169        The following exit values are returned:
 170 
 171 
 172        0
 173 
 174               Success.
 175 
 176 
 177        non-zero
 178 
 179               An error has occured.
 180 
 181 
 182 ATTRIBUTES
 183        See attributes(5) for descriptions of the following attributes:
 184 
 185 
 186 
 187 
 188        +--------------------+-----------------+
 189        |  ATTRIBUTE TYPE    | ATTRIBUTE VALUE |
 190        +--------------------+-----------------+
 191        |Interface Stability | Volatile        |
 192        +--------------------+-----------------+
 193 
 194 SEE ALSO
 195        exec(2), attributes(5), contract(4), security-flags(5), zones(5)
 196 
 197 
 198 
 199                                   May 3, 2014                     PSECFLAGS(1)