Print this page
Code review comments from jeffpc
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/man/man1/psecflags.1
+++ new/usr/src/man/man1/psecflags.1
1 1 '\" te
2 2 .\" This file and its contents are supplied under the terms of the
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
3 3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
4 4 .\" You may only use this file in accordance with the terms of version
5 5 .\" 1.0 of the CDDL.
6 6 .\"
7 7 .\" A full copy of the text of the CDDL should have accompanied this
8 8 .\" source. A copy of the CDDL is also available via the Internet at
9 9 .\" http://www.illumos.org/license/CDDL.
10 10 .\"
11 11 .\" Copyright 2015, Richard Lowe.
12 12 .\"
13 -.TH "PSECFLAGS" "1" "May 3, 2014"
13 +.TH "PSECFLAGS" "1" "June 6, 2016"
14 14 .SH "NAME"
15 15 \fBpsecflags\fR - inspect or modify process security flags
16 16 .SH "SYNOPSIS"
17 17 .LP
18 18 .nf
19 -\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR
20 - [\fIarg\fR]...
19 +\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR \
20 +[\fIarg\fR]...
21 21 .fi
22 22 .LP
23 23 .nf
24 -\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR]
25 - \fIid\fR ...
24 +\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR] \
25 +\fIid\fR ...
26 26 .fi
27 27 .LP
28 28 .nf
29 29 \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
30 30 .fi
31 31 .LP
32 32 .nf
33 33 \fB/usr/bin/psecflags\fR \fI-l\fR
34 34 .fi
35 35
36 36 .SH "DESCRIPTION"
37 37 The first invocation of the \fBpsecflags\fR command runs the specified
38 38 \fIcommand\fR with the security-flags modified as described by the \fI-s\fR
39 39 argument.
40 40 .P
41 41 The second invocation modifies the security-flags of the processes described
42 42 by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
43 43 .P
44 44 The third invocation describes the security-flags of the specified processes
45 45 or core files. The effective set is signified by '\fBE\fR', the inheritable
46 46 set by '\fBI\fR', the lower set by '\fBL\fR', and the upper set by '\fBU\fR'.
47 47 .P
48 48 The fourth invocation lists the supported process security-flags, documented
49 49 in \fBsecurity-flags\fR(5).
50 50
51 51 .SH "OPTIONS"
52 52 The following options are supported:
53 53 .sp
54 54 .ne 2
55 55 .na
56 56 \fB-e\fR
57 57 .ad
58 58 .RS 11n
59 59 Interpret the remaining arguments as a command line and run the command with
60 60 the security-flags specified with the \fI-s\fR flag.
61 61 .RE
62 62
63 63 .sp
64 64 .ne 2
65 65 .na
66 66 \fB-F\fR
67 67 .ad
68 68 .RS 11n
69 69 Force. Grab the target process even if another process has control.
70 70 .RE
71 71
72 72 .sp
73 73 .ne 2
74 74 .na
75 75 \fB-i\fR \fIidtype\fR
76 76 .ad
77 77 .RS 11n
78 78 This option, together with the \fIid\fR arguments specify one or more
79 79 processes whose security-flags will be modified. The interpretation of the
80 80 \fIid\fR arguments is based on \fIidtype\fR. If \fIidtype\fR is omitted the
81 81 default is \fBpid\fR.
82 82
83 83 Valid \fIidtype\fR options are:
84 84 .sp
85 85 .ne 2
86 86 .na
87 87 \fBall\fR
88 88 .ad
89 89 .RS 11n
90 90 The \fBpsecflags\fR command applies to all processes
91 91 .RE
92 92
93 93 .sp
94 94 .ne 2
95 95 .na
96 96 \fBcontract\fR, \fBctid\fR
97 97 .ad
98 98 .RS 11n
99 99 The security-flags of any process with a contract ID matching the \fIid\fR
100 100 arguments are modified.
101 101 .RE
102 102
103 103 .sp
104 104 .ne 2
105 105 .na
106 106 \fBgroup\fR, \fBgid\fR
107 107 .ad
108 108 .RS 11n
109 109 The security-flags of any process with a group ID matching the \fIid\fR
110 110 arguments are modified.
111 111 .RE
112 112
113 113 .sp
114 114 .ne 2
115 115 .na
116 116 \fBpid\fR
117 117 .ad
118 118 .RS 11n
119 119 The security-flags of any process with a process ID matching the \fIid\fR
120 120 arguments are modified. This is the default.
121 121 .RE
122 122
123 123 .sp
124 124 .ne 2
125 125 .na
126 126 \fBppid\fR
127 127 .ad
128 128 .RS 11n
129 129 The security-flags of any processes whose parent process ID matches the
130 130 \fIid\fR arguments are modified.
131 131 .RE
132 132
133 133 .sp
134 134 .ne 2
135 135 .na
136 136 \fBproject\fR, \fBprojid\fR
137 137 .ad
138 138 .RS 11n
139 139 The security-flags of any process whose project ID matches the \fIid\fR
140 140 arguments are modified.
141 141 .RE
142 142
143 143 .sp
144 144 .ne 2
145 145 .na
146 146 \fBsession\fR, \fBsid\fR
147 147 .ad
148 148 .RS 11n
149 149 The security-flags of any process whose session ID matches the \fIid\fR
150 150 arguments are modified.
151 151 .RE
152 152
153 153 .sp
154 154 .ne 2
155 155 .na
156 156 \fBtaskid\fR
157 157 .ad
158 158 .RS 11n
159 159 The security-flags of any process whose task ID matches the \fIid\fR arguments
160 160 are modified.
161 161 .RE
162 162
163 163 .sp
164 164 .ne 2
165 165 .na
166 166 \fBuser\fR, \fBuid\fR
167 167 .ad
168 168 .RS 11n
169 169 The security-flags of any process belonging to the users matching the \fIid\fR
170 170 arguments are modified.
171 171 .RE
172 172
173 173 .sp
174 174 .ne 2
175 175 .na
176 176 \fBzone\fR, \fBzoneid\fR
177 177 .ad
178 178 .RS 11n
179 179 The security-flags of any process running in the zones matching the given
180 180 \fIid\fR arguments are modified.
181 181 .RE
182 182 .RE
183 183
184 184 .sp
185 185 .ne 2
186 186 .na
187 187 \fB-l\fR
188 188 .ad
189 189 .RS 11n
190 190 List all supported process security-flags, described in
191 191 \fBsecurity-flags\fR(5).
192 192 .RE
193 193
194 194 .sp
195 195 .ne 2
196 196 .na
197 197 \fB-s\fR \fIspecification\fR
198 198 .ad
199 199 .RS 11n
200 200 Modify the process security-flags according to
201 201 \fIspecification\fR. Specifications take the form of a comma-separated list of
202 202 flags, optionally preceded by a '-' or '!'. Where '-' and '!' indicate that the
203 203 given flag should be removed from the specification. The pseudo-flags "all",
204 204 "none" and "current" are supported, to indicate that all flags, no flags, or
205 205 the current set of flags (respectively) are to be included.
206 206 .P
207 207 By default, the inheritable flags are changed. You may optionally specify the
208 208 set to change using their single-letter identifiers and an equals sign.
209 209 .P
210 210 For a list of valid security-flags, see \fBpsecflags -l\fR.
211 211 .RE
212 212
↓ open down ↓ |
177 lines elided |
↑ open up ↑ |
213 213 .SH "EXAMPLES"
214 214 .LP
215 215 \fBExample 1\fR Display the security-flags of the current shell.
216 216 .sp
217 217 .in +2
218 218 .nf
219 219 example$ \fBpsecflags $$\fR
220 220 100718: -sh
221 221 E: aslr
222 222 I: aslr
223 - L: none
224 - U: aslr, forbidnullmap, noexecstack
223 + L: none
224 + U: aslr,forbidnullmap,noexecstack
225 225 .fi
226 226 .in -2
227 227 .sp
228 228
229 229 .LP
230 230 \fBExample 2\fR Run a user command with ASLR enabled in addition to any
231 231 inherited security flags.
232 232 .sp
233 233 .in +2
234 234 .nf
235 235 example$ \fBpsecflags -s current,aslr -e /bin/sh\fR
236 236 $ psecflags $$
237 237 100724: -sh
238 238 E: none
239 239 I: aslr
240 - L: none
241 - U: aslr, forbidnullmap, noexecstack
240 + L: none
241 + U: aslr,forbidnullmap,noexecstack
242 242 .fi
243 243 .in -2
244 244 .sp
245 245
246 246 .LP
247 247 \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
248 248 .sp
249 249 .in +2
250 250 .nf
251 251 example# \fBpsecflags -s current,-aslr -i uid bob\fR
252 252 .fi
253 253 .in -2
254 254
255 255 .LP
256 256 \fBExample 4\fR Add the aslr flag to the lower set, so that all future
257 257 child processes must have this flag set.
258 258 .sp
259 259 .in +2
260 260 .nf
261 261 example# \fBpsecflags -s L=current,aslr $$\fR
262 262 .fi
263 263 .in -2
264 264
265 265 .SH "EXIT STATUS"
266 266 The following exit values are returned:
267 267
268 268 .TP
269 269 \fB0\fR
270 270 .IP
271 271 Success.
272 272
273 273 .TP
274 274 \fBnon-zero\fR
275 275 .IP
276 276 An error has occured.
277 277
278 278 .SH "ATTRIBUTES"
279 279 .LP
280 280 See \fBattributes\fR(5) for descriptions of the following attributes:
281 281 .sp
282 282
283 283 .sp
284 284 .TS
285 285 box;
286 286 c | c
287 287 l | l .
288 288 ATTRIBUTE TYPE ATTRIBUTE VALUE
289 289 _
290 290 Interface Stability Volatile
291 291 .TE
292 292
293 293 .SH "SEE ALSO"
294 294 .BR exec (2),
295 295 .BR attributes (5),
296 296 .BR contract (4),
297 297 .BR security-flags (5),
298 298 .BR zones (5)
↓ open down ↓ |
47 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX