Print this page
Code review comments from jeffpc
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1/psecflags.1.man.txt
+++ new/usr/src/man/man1/psecflags.1.man.txt
1 1 PSECFLAGS(1) User Commands PSECFLAGS(1)
2 2
3 3
4 4
5 5 NAME
6 6 psecflags - inspect or modify process security flags
7 7
8 8 SYNOPSIS
9 - /usr/bin/psecflags -s spec -e command
10 - [arg]...
9 + /usr/bin/psecflags -s spec -e command [arg]...
11 10
12 - /usr/bin/psecflags -s spec [-i idtype]
13 - id ...
11 + /usr/bin/psecflags -s spec [-i idtype] id ...
14 12
15 13 /usr/bin/psecflags [-F] { pid | core }
16 14
17 15 /usr/bin/psecflags -l
18 16
19 17
20 18 DESCRIPTION
21 19 The first invocation of the psecflags command runs the specified
22 20 command with the security-flags modified as described by the -s
23 21 argument.
24 22
25 23 The second invocation modifies the security-flags of the processes
26 24 described by idtype and id according as described by the -s argument.
27 25
28 26 The third invocation describes the security-flags of the specified
29 27 processes or core files. The effective set is signified by 'E', the
30 28 inheritable set by 'I', the lower set by 'L', and the upper set by 'U'.
31 29
32 30 The fourth invocation lists the supported process security-flags,
33 31 documented in security-flags(5).
34 32
35 33
36 34 OPTIONS
37 35 The following options are supported:
38 36
39 37 -e
40 38 Interpret the remaining arguments as a command line and run
41 39 the command with the security-flags specified with the -s
42 40 flag.
43 41
44 42
45 43 -F
46 44 Force. Grab the target process even if another process has
47 45 control.
48 46
49 47
50 48 -i idtype
51 49 This option, together with the id arguments specify one or
52 50 more processes whose security-flags will be modified. The
53 51 interpretation of the id arguments is based on idtype. If
54 52 idtype is omitted the default is pid.
55 53
56 54 Valid idtype options are:
57 55
58 56 all
59 57 The psecflags command applies to all processes
60 58
61 59
62 60 contract, ctid
63 61 The security-flags of any process with a contract
64 62 ID matching the id arguments are modified.
65 63
66 64
67 65 group, gid
68 66 The security-flags of any process with a group ID
69 67 matching the id arguments are modified.
70 68
71 69
72 70 pid
73 71 The security-flags of any process with a process
74 72 ID matching the id arguments are modified. This
75 73 is the default.
76 74
77 75
78 76 ppid
79 77 The security-flags of any processes whose parent
80 78 process ID matches the id arguments are modified.
81 79
82 80
83 81 project, projid
84 82 The security-flags of any process whose project
85 83 ID matches the id arguments are modified.
86 84
87 85
88 86 session, sid
89 87 The security-flags of any process whose session
90 88 ID matches the id arguments are modified.
91 89
92 90
93 91 taskid
94 92 The security-flags of any process whose task ID
95 93 matches the id arguments are modified.
96 94
97 95
98 96 user, uid
99 97 The security-flags of any process belonging to
100 98 the users matching the id arguments are modified.
101 99
102 100
103 101 zone, zoneid
104 102 The security-flags of any process running in the
105 103 zones matching the given id arguments are
106 104 modified.
107 105
108 106
109 107 -l
110 108 List all supported process security-flags, described in
111 109 security-flags(5).
112 110
113 111
114 112 -s specification
115 113 Modify the process security-flags according to
116 114 specification. Specifications take the form of a comma-
117 115 separated list of flags, optionally preceded by a '-' or
118 116 '!'. Where '-' and '!' indicate that the given flag should
119 117 be removed from the specification. The pseudo-flags "all",
120 118 "none" and "current" are supported, to indicate that all
121 119 flags, no flags, or the current set of flags (respectively)
122 120 are to be included.
123 121
124 122 By default, the inheritable flags are changed. You may
125 123 optionally specify the set to change using their single-
126 124 letter identifiers and an equals sign.
127 125
|
↓ open down ↓ |
104 lines elided |
↑ open up ↑ |
128 126 For a list of valid security-flags, see psecflags -l.
129 127
130 128
131 129 EXAMPLES
132 130 Example 1 Display the security-flags of the current shell.
133 131
134 132 example$ psecflags $$
135 133 100718: -sh
136 134 E: aslr
137 135 I: aslr
138 - L: none
139 - U: aslr, forbidnullmap, noexecstack
136 + L: none
137 + U: aslr,forbidnullmap,noexecstack
140 138
141 139
142 140
143 141 Example 2 Run a user command with ASLR enabled in addition to any
144 142 inherited security flags.
145 143
146 144 example$ psecflags -s current,aslr -e /bin/sh
147 145 $ psecflags $$
148 146 100724: -sh
149 147 E: none
150 148 I: aslr
151 - L: none
152 - U: aslr, forbidnullmap, noexecstack
149 + L: none
150 + U: aslr,forbidnullmap,noexecstack
153 151
154 152
155 153
156 154 Example 3 Remove aslr from the inheritable flags of all Bob's
157 155 processes.
158 156
159 157 example# psecflags -s current,-aslr -i uid bob
160 158
161 159
162 160 Example 4 Add the aslr flag to the lower set, so that all future child
163 161 processes must have this flag set.
164 162
165 163 example# psecflags -s L=current,aslr $$
166 164
167 165
168 166 EXIT STATUS
169 167 The following exit values are returned:
170 168
171 169
172 170 0
173 171
174 172 Success.
175 173
176 174
177 175 non-zero
178 176
179 177 An error has occured.
180 178
181 179
182 180 ATTRIBUTES
183 181 See attributes(5) for descriptions of the following attributes:
184 182
185 183
186 184
187 185
188 186 +--------------------+-----------------+
|
↓ open down ↓ |
26 lines elided |
↑ open up ↑ |
189 187 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
190 188 +--------------------+-----------------+
191 189 |Interface Stability | Volatile |
192 190 +--------------------+-----------------+
193 191
194 192 SEE ALSO
195 193 exec(2), attributes(5), contract(4), security-flags(5), zones(5)
196 194
197 195
198 196
199 - May 3, 2014 PSECFLAGS(1)
197 + June 6, 2016 PSECFLAGS(1)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX