Print this page
uts: Allow for address space randomisation.
Randomise the base addresses of shared objects, non-fixed mappings, the
stack and the heap.  Introduce a service, svc:/system/process-security,
and a tool psecflags(1) to control and observe it

@@ -18,11 +18,11 @@
 [\fB-i\fR] [\fB-I\fR \fIname\fR] [\fB-l\fR \fIx\fR] [\fB-L\fR \fIpath\fR] [\fB-m\fR] [\fB-M\fR \fImapfile\fR]
 [\fB-N\fR \fIstring\fR] [\fB-o\fR \fIoutfile\fR] [\fB-p\fR \fIauditlib\fR] [\fB-P\fR \fIauditlib\fR]
 [\fB-Q\fR y | n] [\fB-R\fR \fIpath\fR] [\fB-s\fR] [\fB-S\fR \fIsupportlib\fR] [\fB-t\fR]
 [\fB-u\fR \fIsymname\fR] [\fB-V\fR] [\fB-Y P\fR\fI,dirlist\fR] [\fB-z\fR absexec]
 [\fB-z\fR allextract | defaultextract | weakextract ] [\fB-z\fR altexec64]
-[\fB-z\fR assert-deflib ] [ \fB-z\fR assert-deflib=\fIlibname\fR ]
+[\fB-z\fR aslr[=\fIstate\fR]] [\fB-z\fR assert-deflib] [ \fB-z\fR assert-deflib=\fIlibname\fR]
 [\fB-z\fR combreloc | nocombreloc ] [\fB-z\fR defs | nodefs]
 [\fB-z\fR direct | nodirect] [\fB-z\fR endfiltee]
 [\fB-z\fR fatal-warnings | nofatal-warnings ] [\fB-z\fR finiarray=\fIfunction\fR]
 [\fB-z\fR globalaudit] [\fB-z\fR groupperm | nogroupperm] 
 [\fB-z\fR guidance[=\fIid1\fR,\fIid2\fR...] [\fB-z\fR help ]

@@ -843,10 +843,27 @@
 .RE
 
 .sp
 .ne 2
 .na
+\fB-z\fR \fBaslr[=\fIstate\fR]\fR
+.ad
+.sp .6
+.RS 4n
+Specify whether the executable's address space should be randomized on
+execution.  If \fIstate\fR is "enabled" randomization will always occur when
+this executable is run (regardless of inherited settings).  If \fIstate\fR is
+"disabled" randomization will never occur when this executable is run.  If
+\fIstate\fR is omitted, ASLR is enabled.
+
+An executable that should simple use the settings inherited from its
+environment should not use this flag at all.
+.RE
+
+.sp
+.ne 2
+.na
 \fB\fB-z\fR \fBcombreloc\fR | \fBnocombreloc\fR\fR
 .ad
 .sp .6
 .RS 4n
 By default, \fBld\fR combines multiple relocation sections when building