il-aslr txt

   1 SECURITY-FLAGS(5)     Standards, Environments, and Macros    SECURITY-FLAGS(5)
   2 
   3 
   4 
   5 NAME
   6        security-flags - process security flags
   7 
   8 DESCRIPTION
   9        Each process on an illumos system has an associated set of security-
  10        flags which describe additional per-process security and exploit
  11        mitigation features which are enabled for that process.
  12 
  13        There are two sets of these flags for each process, the effective set
  14        (abbreviated E) are the set which currently apply to the process and
  15        are immutable. The inheritable set (abbreviated I) are the flags which
  16        will become effective the next time the process calls one of the
  17        exec(2) family of functions, and will be inherited as both the
  18        effective and inheritable sets by any child processes. The inheritable
  19        set may be changed at any time, subject to permissions.
  20 
  21        To change the security-flags of a process one must have both permissions
  22        equivalent to those required to send a signal to the process and have
  23        the PRIV_PROC_SECFLAGS privilege.
  24 
  25        Currently available features are:
  26 
  27 
  28        Address Space Layout Randomisation (ASLR)
  29                   The base addresses of the stack, heap and shared library
  30                   (including ld.so) mappings are randomised, the bases of
  31                   mapped regions other than those using MAP_FIXED are
  32                   randomised.
  33 
  34                   Currently, executable base addresses are not randomised, due
  35                   to which the mitigation provided by this feature is
  36                   currently limited.
  37 
  38                   This flag may also be enabled by the presence of the
  39                   DT_SUNW_ASLR dynamic tag in the .dynamic section of the
  40                   executable file. If this tag has a value of 1, ASLR will be
  41                   enabled. If the flag has a value of 0 ASLR will be disabled.
  42                   If the tag is not present, the value of the ASLR flag will
  43                   be inherited as normal.
  44 
  45        System default security-flags are configured via properties on the
  46        svc:/system/process-security service, which contains a boolean property
  47        per-flag in the secflags property group.  For example, to enable ASLR by
  48        default you would execute the following commands:
  49 
  50          # svccfg -s svc:/system/process-security setprop secflags/aslr = true
  51 
  52 
  53        This can be done by any user with the solaris.smf.value.process-security
  54        authorization.
  55 
  56        Since security-flags are strictly inherited, this will not take effect
  57        until the system or zone is next booted.
  58 
  59 
  60 SEE ALSO
  61        psecflags(1), svccfg(1M), brk(2), exec(2), mmap(2), mmapobj(2),
  62        privileges(5), rbac(5)
  63 
  64 
  65 
  66                                   May 5, 2014                SECURITY-FLAGS(5)