il-aslr New usr/src/man/man1/psecflags.1

   1 '\" te
   2 .\" This file and its contents are supplied under the terms of the
   3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
   4 .\" You may only use this file in accordance with the terms of version
   5 .\" 1.0 of the CDDL.
   6 .\"
   7 .\" A full copy of the text of the CDDL should have accompanied this
   8 .\" source.  A copy of the CDDL is also available via the Internet at
   9 .\" http://www.illumos.org/license/CDDL.
  10 .\"
  11 .\"
  12 .TH "PSECFLAGS" "1" "May 3, 2014"
  13 .SH "NAME"
  14 \fBpsecflags\fR - inspect or modify process security flags
  15 .SH "SYNOPSIS"
  16 .LP
  17 .nf
  18 \fB/usr/bin/psecflags\fR \fI-s\fR [-+]flags \fI-e\fR \fIcommand\fR
  19         [\fIarg\fR]...
  20 .fi
  21 .LP
  22 .nf
  23 \fB/usr/bin/psecflags\fR \fI-s\fR [-+]flags [\fI-i\fR \fIidtype\fR]
  24         \fIid\fR ...
  25 .fi
  26 .LP
  27 .nf
  28 \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
  29 .fi
  30 .LP
  31 .nf
  32 \fB/usr/bin/psecflags\fR \fI-l\fR
  33 .fi
  34 
  35 .SH "DESCRIPTION"
  36 The first invocation of the \fBpsecflags\fR command runs the specified
  37 \fIcommand\fR with the security-flags modified as described by the \fI-s\fR
  38 argument.
  39 .P
  40 The second invocation modifies the security-flags of the processes described
  41 by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
  42 .P
  43 The third invocation describes the security-flags of the specified processes
  44 or core files.  The effective set is signified by '\fBE\fR', and the
  45 inheritable set by '\fBI\fR'
  46 .P
  47 The fourth invocation lists the supported process security-flags
  48 
  49 .SH "OPTIONS"
  50 The following options are supported:
  51 .sp
  52 .ne 2
  53 .na
  54 \fB-e\fR
  55 .ad
  56 .RS 11n
  57 Interpret the remaining arguments as a command line and run the command with
  58 the security-flags specified with the \fI-s\fR flag.
  59 .RE
  60 
  61 .sp
  62 .ne 2
  63 .na
  64 \fB-F\fR
  65 .ad
  66 .RS 11n
  67 Force. Grab the target process even if another process has control.
  68 .RE
  69 
  70 .sp
  71 .ne 2
  72 .na
  73 \fB-i\fR \fIidtype\fR
  74 .ad
  75 .RS 11n
  76 This option, together with the \fIid\fR arguments specify one or more
  77 processes whose security-flags will be modified. The interpretation of the
  78 \fIid\fR arguments is based on \fIidtype\fR. If \fIidtype\fR is omitted the
  79 default is \fBpid\fR.
  80 
  81 Valid \fIidtype\fR options are:
  82 .sp
  83 .ne 2
  84 .na
  85 \fBall\fR
  86 .ad
  87 .RS 11n
  88 The \fBpsecflags\fR command applies to all processes
  89 .RE
  90 
  91 .sp
  92 .ne 2
  93 .na
  94 \fBcontract\fR, \fBctid\fR
  95 .ad
  96 .RS 11n
  97 The security-flags of any process with a contract ID matching the \fIid\fR
  98 arguments are modified.
  99 .RE
 100 
 101 .sp
 102 .ne 2
 103 .na
 104 \fBgroup\fR, \fBgid\fR
 105 .ad
 106 .RS 11n
 107 The security-flags of any process with a group ID matching the \fIid\fR
 108 arguments are modified.
 109 .RE
 110 
 111 .sp
 112 .ne 2
 113 .na
 114 \fBpid\fR
 115 .ad
 116 .RS 11n
 117 The security-flags of any process with a process ID matching the \fIid\fR
 118 arguments are modified. This is the default.
 119 .RE
 120 
 121 .sp
 122 .ne 2
 123 .na
 124 \fBppid\fR
 125 .ad
 126 .RS 11n
 127 The security-flags of any processes whose parent process ID matches the
 128 \fIid\fR arguments are modified.
 129 .RE
 130 
 131 .sp
 132 .ne 2
 133 .na
 134 \fBproject\fR, \fBprojid\fR
 135 .ad
 136 .RS 11n
 137 The security-flags of any process whose project ID matches the \fIid\fR
 138 arguments are modified.
 139 .RE
 140 
 141 .sp
 142 .ne 2
 143 .na
 144 \fBsession\fR, \fBsid\fR
 145 .ad
 146 .RS 11n
 147 The security-flags of any process whose session ID matches the \fIid\fR
 148 arguments are modified.
 149 .RE
 150 
 151 .sp
 152 .ne 2
 153 .na
 154 \fBtaskid\fR
 155 .ad
 156 .RS 11n
 157 The security-flags of any process whose task ID matches the \fIid\fR arguments
 158 are modified.
 159 .RE
 160 
 161 .sp
 162 .ne 2
 163 .na
 164 \fBuser\fR, \fBuid\fR
 165 .ad
 166 .RS 11n
 167 The security-flags of any process belonging to the users matching the \fIid\fR
 168 arguments are modified.
 169 .RE
 170 
 171 .sp
 172 .ne 2
 173 .na
 174 \fBzone\fR, \fBzoneid\fR
 175 .ad
 176 .RS 11n
 177 The security-flags of any process running in the zones matching the given
 178 \fIid\fR arguments are modified
 179 .RE
 180 .RE
 181 
 182 .sp
 183 .ne 2
 184 .na
 185 \fB-l\fR
 186 .ad
 187 .RS 11n
 188 List all supported process security-flags
 189 .RE
 190 
 191 .sp
 192 .ne 2
 193 .na
 194 \fB-s\fR \fIspecification\fR
 195 .ad
 196 .RS 11n
 197 Modify the process security-flags according to
 198 \fIspecification\fR. Specifications take the form \fB[-+]flagspec\fR. Where
 199 \fB+\fR indicates that the given flags should be enabled in addition to the
 200 current flags, \fB-\fR indicates the given flags should be disabled, and the
 201 default (with neither) the given flags should replace the current flags.
 202 .P
 203 \fBflagspec\fR is a comma-separated list of security flags, or the string
 204 \fB"none"\fR, which indicates that the security-flags are to be cleared.
 205 .P
 206 For a list of valid security-flags, see \fBpsecflags -l\fR
 207 .RE
 208 
 209 .SH "EXAMPLES"
 210 .LP
 211 \fBExample 1\fR Display the security-flags of the current shell
 212 .sp
 213 .in +2
 214 .nf
 215 example$ \fBpsecflags $$\fR
 216 100718: -sh
 217         E:      aslr
 218         I:      aslr
 219 .fi
 220 .in -2
 221 .sp
 222 
 223 .LP
 224 \fBExample 2\fR Run a user command with ASLR enabled in addition to any
 225 inherited security flags.
 226 .sp
 227 .in +2
 228 .nf
 229 example$ \fBpsecflags -s +aslr -e /bin/sh\fR
 230 $ psecflags $$
 231 100724: -sh
 232         E:      none
 233         I:      aslr
 234 .fi
 235 .in -2
 236 .sp
 237 
 238 .LP
 239 \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
 240 .sp
 241 .in +2
 242 .nf
 243 example# \fBpsecflags -s -aslr -i uid bob\fR
 244 .fi
 245 .in -2
 246 
 247 .SH "EXIT STATUS"
 248 The following exit values are returned:
 249 
 250 .TP
 251 \fB0\fR
 252 .IP
 253 Success
 254 
 255 .TP
 256 \fBnon-zero\fR
 257 .IP
 258 An error has occured
 259 
 260 .SH "ATTRIBUTES"
 261 .sp
 262 .LP
 263 See \fBattributes\fR(5) for descriptions of the following attributes:
 264 .sp
 265 
 266 .sp
 267 .TS
 268 box;
 269 c | c
 270 l | l .
 271 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 272 _
 273 Interface Stability     Volatile
 274 .TE
 275 
 276 .SH "SEE ALSO"
 277 .BR exec (2),
 278 .BR attributes (5),
 279 .BR contract (4),
 280 .BR security-flags (5),
 281 .BR zones (5)