PSECFLAGS(1) User Commands PSECFLAGS(1)

NAME

psecflags - inspect or modify process security flags

SYNOPSIS


/usr/bin/psecflags -s [-+]flags -e command
[arg]...


/usr/bin/psecflags -s [-+]flags [-i idtype]
id ...


/usr/bin/psecflags [-F] { pid | core }


/usr/bin/psecflags -l

 

DESCRIPTION

The first invocation of the psecflags command runs the specified command with the security-flags modified as described by the -s argument.

The second invocation modifies the security-flags of the processes described by idtype and id according as described by the -s argument.

The third invocation describes the security-flags of the specified processes or core files. The effective set is signified by ' E', and the inheritable set by ' I'

The fourth invocation lists the supported process security-flags

 

OPTIONS

The following options are supported:
 
-e
Interpret the remaining arguments as a command line and run the command with the security-flags specified with the -s flag.
 
 
-F
Force. Grab the target process even if another process has control.
 
 
-i idtype
This option, together with the id arguments specify one or more processes whose security-flags will be modified. The interpretation of the id arguments is based on idtype. If idtype is omitted the default is pid.
 
Valid idtype options are:
 
all
The psecflags command applies to all processes
 
 
contract, ctid
The security-flags of any process with a contract ID matching the id arguments are modified.
 
 
group, gid
The security-flags of any process with a group ID matching the id arguments are modified.
 
 
pid
The security-flags of any process with a process ID matching the id arguments are modified. This is the default.
 
 
ppid
The security-flags of any processes whose parent process ID matches the id arguments are modified.
 
 
project, projid
The security-flags of any process whose project ID matches the id arguments are modified.
 
 
session, sid
The security-flags of any process whose session ID matches the id arguments are modified.
 
 
taskid
The security-flags of any process whose task ID matches the id arguments are modified.
 
 
user, uid
The security-flags of any process belonging to the users matching the id arguments are modified.
 
 
zone, zoneid
The security-flags of any process running in the zones matching the given id arguments are modified
 
 
-l
List all supported process security-flags
 
 
-s specification
Modify the process security-flags according to specification. Specifications take the form [-+]flagspec. Where + indicates that the given flags should be enabled in addition to the current flags, - indicates the given flags should be disabled, and the default (with neither) the given flags should replace the current flags.

flagspec is a comma-separated list of security flags, or the string "none", which indicates that the security-flags are to be cleared.

For a list of valid security-flags, see psecflags -l

 

EXAMPLES

Example 1 Display the security-flags of the current shell
 


example$ psecflags $$
100718: -sh
E: aslr
I: aslr

 
 

Example 2 Run a user command with ASLR enabled in addition to any inherited security flags.

 


example$ psecflags -s +aslr -e /bin/sh
$ psecflags $$
100724: -sh
E: none
I: aslr

 
 

Example 3 Remove aslr from the inheritable flags of all Bob's processes.

 


example# psecflags -s -aslr -i uid bob

 

EXIT STATUS

The following exit values are returned:
 
0
Success
 
non-zero
An error has occured
 

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:
 
 
 
ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Volatile
 

SEE ALSO

exec(2), attributes(5), contract(4), security-flags(5), zones(5)
May 3, 2014