il_7029-1-2 Wdiff usr/src/man/man1/psecflags.1

Print this page

Code review comments from jeffpc

Split	Close
Expand all
Collapse all

          --- old/usr/src/man/man1/psecflags.1
          +++ new/usr/src/man/man1/psecflags.1

   1    1  '\" te
   2    2  .\" This file and its contents are supplied under the terms of the

↓ open down ↓

2 lines elided

↑ open up ↑

   3    3  .\" Common Development and Distribution License ("CDDL"), version 1.0.
   4    4  .\" You may only use this file in accordance with the terms of version
   5    5  .\" 1.0 of the CDDL.
   6    6  .\"
   7    7  .\" A full copy of the text of the CDDL should have accompanied this
   8    8  .\" source.  A copy of the CDDL is also available via the Internet at
   9    9  .\" http://www.illumos.org/license/CDDL.
  10   10  .\"
  11   11  .\" Copyright 2015, Richard Lowe.
  12   12  .\"
  13      -.TH "PSECFLAGS" "1" "May 3, 2014"
       13 +.TH "PSECFLAGS" "1" "June 6, 2016"
  14   14  .SH "NAME"
  15   15  \fBpsecflags\fR - inspect or modify process security flags
  16   16  .SH "SYNOPSIS"
  17   17  .LP
  18   18  .nf
  19      -\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR
  20      -        [\fIarg\fR]...
       19 +\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR \
       20 +[\fIarg\fR]...
  21   21  .fi
  22   22  .LP
  23   23  .nf
  24      -\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR]
  25      -        \fIid\fR ...
       24 +\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR] \
       25 +\fIid\fR ...
  26   26  .fi
  27   27  .LP
  28   28  .nf
  29   29  \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
  30   30  .fi
  31   31  .LP
  32   32  .nf
  33   33  \fB/usr/bin/psecflags\fR \fI-l\fR
  34   34  .fi
  35   35

  36   36  .SH "DESCRIPTION"
  37   37  The first invocation of the \fBpsecflags\fR command runs the specified
  38   38  \fIcommand\fR with the security-flags modified as described by the \fI-s\fR
  39   39  argument.
  40   40  .P
  41   41  The second invocation modifies the security-flags of the processes described
  42   42  by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
  43   43  .P
  44   44  The third invocation describes the security-flags of the specified processes
  45   45  or core files.  The effective set is signified by '\fBE\fR', the inheritable
  46   46  set by '\fBI\fR', the lower set by '\fBL\fR', and the upper set by '\fBU\fR'.
  47   47  .P
  48   48  The fourth invocation lists the supported process security-flags, documented
  49   49  in \fBsecurity-flags\fR(5).
  50   50  
  51   51  .SH "OPTIONS"
  52   52  The following options are supported:
  53   53  .sp
  54   54  .ne 2
  55   55  .na
  56   56  \fB-e\fR
  57   57  .ad
  58   58  .RS 11n
  59   59  Interpret the remaining arguments as a command line and run the command with
  60   60  the security-flags specified with the \fI-s\fR flag.
  61   61  .RE
  62   62  
  63   63  .sp
  64   64  .ne 2
  65   65  .na
  66   66  \fB-F\fR
  67   67  .ad
  68   68  .RS 11n
  69   69  Force. Grab the target process even if another process has control.
  70   70  .RE
  71   71  
  72   72  .sp
  73   73  .ne 2
  74   74  .na
  75   75  \fB-i\fR \fIidtype\fR
  76   76  .ad
  77   77  .RS 11n
  78   78  This option, together with the \fIid\fR arguments specify one or more
  79   79  processes whose security-flags will be modified. The interpretation of the
  80   80  \fIid\fR arguments is based on \fIidtype\fR. If \fIidtype\fR is omitted the
  81   81  default is \fBpid\fR.
  82   82  
  83   83  Valid \fIidtype\fR options are:
  84   84  .sp
  85   85  .ne 2
  86   86  .na
  87   87  \fBall\fR
  88   88  .ad
  89   89  .RS 11n
  90   90  The \fBpsecflags\fR command applies to all processes
  91   91  .RE
  92   92  
  93   93  .sp
  94   94  .ne 2
  95   95  .na
  96   96  \fBcontract\fR, \fBctid\fR
  97   97  .ad
  98   98  .RS 11n
  99   99  The security-flags of any process with a contract ID matching the \fIid\fR
 100  100  arguments are modified.
 101  101  .RE
 102  102  
 103  103  .sp
 104  104  .ne 2
 105  105  .na
 106  106  \fBgroup\fR, \fBgid\fR
 107  107  .ad
 108  108  .RS 11n
 109  109  The security-flags of any process with a group ID matching the \fIid\fR
 110  110  arguments are modified.
 111  111  .RE
 112  112  
 113  113  .sp
 114  114  .ne 2
 115  115  .na
 116  116  \fBpid\fR
 117  117  .ad
 118  118  .RS 11n
 119  119  The security-flags of any process with a process ID matching the \fIid\fR
 120  120  arguments are modified. This is the default.
 121  121  .RE
 122  122  
 123  123  .sp
 124  124  .ne 2
 125  125  .na
 126  126  \fBppid\fR
 127  127  .ad
 128  128  .RS 11n
 129  129  The security-flags of any processes whose parent process ID matches the
 130  130  \fIid\fR arguments are modified.
 131  131  .RE
 132  132  
 133  133  .sp
 134  134  .ne 2
 135  135  .na
 136  136  \fBproject\fR, \fBprojid\fR
 137  137  .ad
 138  138  .RS 11n
 139  139  The security-flags of any process whose project ID matches the \fIid\fR
 140  140  arguments are modified.
 141  141  .RE
 142  142  
 143  143  .sp
 144  144  .ne 2
 145  145  .na
 146  146  \fBsession\fR, \fBsid\fR
 147  147  .ad
 148  148  .RS 11n
 149  149  The security-flags of any process whose session ID matches the \fIid\fR
 150  150  arguments are modified.
 151  151  .RE
 152  152  
 153  153  .sp
 154  154  .ne 2
 155  155  .na
 156  156  \fBtaskid\fR
 157  157  .ad
 158  158  .RS 11n
 159  159  The security-flags of any process whose task ID matches the \fIid\fR arguments
 160  160  are modified.
 161  161  .RE
 162  162  
 163  163  .sp
 164  164  .ne 2
 165  165  .na
 166  166  \fBuser\fR, \fBuid\fR
 167  167  .ad
 168  168  .RS 11n
 169  169  The security-flags of any process belonging to the users matching the \fIid\fR
 170  170  arguments are modified.
 171  171  .RE
 172  172  
 173  173  .sp
 174  174  .ne 2
 175  175  .na
 176  176  \fBzone\fR, \fBzoneid\fR
 177  177  .ad
 178  178  .RS 11n
 179  179  The security-flags of any process running in the zones matching the given
 180  180  \fIid\fR arguments are modified.
 181  181  .RE
 182  182  .RE
 183  183  
 184  184  .sp
 185  185  .ne 2
 186  186  .na
 187  187  \fB-l\fR
 188  188  .ad
 189  189  .RS 11n
 190  190  List all supported process security-flags, described in
 191  191  \fBsecurity-flags\fR(5).
 192  192  .RE
 193  193  
 194  194  .sp
 195  195  .ne 2
 196  196  .na
 197  197  \fB-s\fR \fIspecification\fR
 198  198  .ad
 199  199  .RS 11n
 200  200  Modify the process security-flags according to
 201  201  \fIspecification\fR. Specifications take the form of a comma-separated list of
 202  202  flags, optionally preceded by a '-' or '!'. Where '-' and '!' indicate that the
 203  203  given flag should be removed from the specification.  The pseudo-flags "all",
 204  204  "none" and "current" are supported, to indicate that all flags, no flags, or
 205  205  the current set of flags (respectively) are to be included.
 206  206  .P
 207  207  By default, the inheritable flags are changed.  You may optionally specify the
 208  208  set to change using their single-letter identifiers and an equals sign.
 209  209  .P
 210  210  For a list of valid security-flags, see \fBpsecflags -l\fR.
 211  211  .RE
 212  212

↓ open down ↓

177 lines elided

↑ open up ↑

 213  213  .SH "EXAMPLES"
 214  214  .LP
 215  215  \fBExample 1\fR Display the security-flags of the current shell.
 216  216  .sp
 217  217  .in +2
 218  218  .nf
 219  219  example$ \fBpsecflags $$\fR
 220  220  100718: -sh
 221  221          E:      aslr
 222  222          I:      aslr
 223      -        L:      none
 224      -        U:      aslr, forbidnullmap, noexecstack
      223 +        L:      none
      224 +        U:      aslr,forbidnullmap,noexecstack
 225  225  .fi
 226  226  .in -2
 227  227  .sp
 228  228  
 229  229  .LP
 230  230  \fBExample 2\fR Run a user command with ASLR enabled in addition to any
 231  231  inherited security flags.
 232  232  .sp
 233  233  .in +2
 234  234  .nf
 235  235  example$ \fBpsecflags -s current,aslr -e /bin/sh\fR
 236  236  $ psecflags $$
 237  237  100724: -sh
 238  238          E:      none
 239  239          I:      aslr
 240      -        L:      none
 241      -        U:      aslr, forbidnullmap, noexecstack
      240 +        L:      none
      241 +        U:      aslr,forbidnullmap,noexecstack
 242  242  .fi
 243  243  .in -2
 244  244  .sp
 245  245  
 246  246  .LP
 247  247  \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
 248  248  .sp
 249  249  .in +2
 250  250  .nf
 251  251  example# \fBpsecflags -s current,-aslr -i uid bob\fR

 252  252  .fi
 253  253  .in -2
 254  254  
 255  255  .LP
 256  256  \fBExample 4\fR Add the aslr flag to the lower set, so that all future
 257  257  child processes must have this flag set.
 258  258  .sp
 259  259  .in +2
 260  260  .nf
 261  261  example# \fBpsecflags -s L=current,aslr $$\fR
 262  262  .fi
 263  263  .in -2
 264  264  
 265  265  .SH "EXIT STATUS"
 266  266  The following exit values are returned:
 267  267  
 268  268  .TP
 269  269  \fB0\fR
 270  270  .IP
 271  271  Success.
 272  272  
 273  273  .TP
 274  274  \fBnon-zero\fR
 275  275  .IP
 276  276  An error has occured.
 277  277  
 278  278  .SH "ATTRIBUTES"
 279  279  .LP
 280  280  See \fBattributes\fR(5) for descriptions of the following attributes:
 281  281  .sp
 282  282  
 283  283  .sp
 284  284  .TS
 285  285  box;
 286  286  c | c
 287  287  l | l .
 288  288  ATTRIBUTE TYPE  ATTRIBUTE VALUE
 289  289  _
 290  290  Interface Stability     Volatile
 291  291  .TE
 292  292  
 293  293  .SH "SEE ALSO"
 294  294  .BR exec (2),
 295  295  .BR attributes (5),
 296  296  .BR contract (4),
 297  297  .BR security-flags (5),
 298  298  .BR zones (5)

↓ open down ↓

47 lines elided

↑ open up ↑

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX