il-aslr Sdiff usr/src/uts/common/os/priv

Print this page

uts: Allow for address space randomisation.
Randomise the base addresses of shared objects, non-fixed mappings, the
stack and the heap.  Introduce a service, svc:/system/process-security,
and a tool psecflags(1) to control and observe it

 297         and modify process state to other processes regardless of
 298         ownership.  When modifying another process, additional
 299         restrictions apply:  the effective privilege set of the
 300         attaching process must be a superset of the target process'
 301         effective, permitted and inheritable sets; the limit set must
 302         be a superset of the target's limit set; if the target process
 303         has any uid set to 0 all privilege must be asserted unless the
 304         effective uid is 0.
 305         Allows a process to bind arbitrary processes to CPUs.
 306 
 307 privilege PRIV_PROC_PRIOUP
 308 
 309         Allows a process to elevate its priority above its current level.
 310 
 311 privilege PRIV_PROC_PRIOCNTL
 312 
 313         Allows all that PRIV_PROC_PRIOUP allows.
 314         Allows a process to change its scheduling class to any scheduling class,
 315         including the RT class.
 316 





 317 basic privilege PRIV_PROC_SESSION
 318 
 319         Allows a process to send signals or trace processes outside its
 320         session.
 321 
 322 unsafe privilege PRIV_PROC_SETID
 323 
 324         Allows a process to set its uids at will.
 325         Assuming uid 0 requires all privileges to be asserted.
 326 
 327 privilege PRIV_PROC_TASKID
 328 
 329         Allows a process to assign a new task ID to the calling process.
 330 
 331 privilege PRIV_PROC_ZONE
 332 
 333         Allows a process to trace or send signals to processes in
 334         other zones.
 335 
 336 privilege PRIV_SYS_ACCT

 297         and modify process state to other processes regardless of
 298         ownership.  When modifying another process, additional
 299         restrictions apply:  the effective privilege set of the
 300         attaching process must be a superset of the target process'
 301         effective, permitted and inheritable sets; the limit set must
 302         be a superset of the target's limit set; if the target process
 303         has any uid set to 0 all privilege must be asserted unless the
 304         effective uid is 0.
 305         Allows a process to bind arbitrary processes to CPUs.
 306 
 307 privilege PRIV_PROC_PRIOUP
 308 
 309         Allows a process to elevate its priority above its current level.
 310 
 311 privilege PRIV_PROC_PRIOCNTL
 312 
 313         Allows all that PRIV_PROC_PRIOUP allows.
 314         Allows a process to change its scheduling class to any scheduling class,
 315         including the RT class.
 316 
 317 privilege PRIV_PROC_SECFLAGS
 318 
 319         Allows a process to manipulate the secflags of processes (subject to,
 320         additionally, the ability to signal that process)
 321 
 322 basic privilege PRIV_PROC_SESSION
 323 
 324         Allows a process to send signals or trace processes outside its
 325         session.
 326 
 327 unsafe privilege PRIV_PROC_SETID
 328 
 329         Allows a process to set its uids at will.
 330         Assuming uid 0 requires all privileges to be asserted.
 331 
 332 privilege PRIV_PROC_TASKID
 333 
 334         Allows a process to assign a new task ID to the calling process.
 335 
 336 privilege PRIV_PROC_ZONE
 337 
 338         Allows a process to trace or send signals to processes in
 339         other zones.
 340 
 341 privilege PRIV_SYS_ACCT