PSECFLAGS(1) User Commands PSECFLAGS(1) NNAAMMEE ppsseeccffllaaggss - inspect or modify process security flags SSYYNNOOPPSSIISS //uussrr//bbiinn//ppsseeccffllaaggss _-_s _s_p_e_c _-_e _c_o_m_m_a_n_d [_a_r_g]... //uussrr//bbiinn//ppsseeccffllaaggss _-_s _s_p_e_c [_-_i _i_d_t_y_p_e] _i_d ... //uussrr//bbiinn//ppsseeccffllaaggss [_-_F] { _p_i_d | _c_o_r_e } //uussrr//bbiinn//ppsseeccffllaaggss _-_l DDEESSCCRRIIPPTTIIOONN The first invocation of the ppsseeccffllaaggss command runs the specified _c_o_m_m_a_n_d with the security-flags modified as described by the _-_s argument. The second invocation modifies the security-flags of the processes described by _i_d_t_y_p_e and _i_d according as described by the _-_s argument. The third invocation describes the security-flags of the specified processes or core files. The effective set is signified by 'EE', the inheritable set by 'II', the lower set by 'LL', and the upper set by 'UU'. The fourth invocation lists the supported process security-flags, documented in sseeccuurriittyy--ffllaaggss(5). OOPPTTIIOONNSS The following options are supported: --ee Interpret the remaining arguments as a command line and run the command with the security-flags specified with the _-_s flag. --FF Force. Grab the target process even if another process has control. --ii _i_d_t_y_p_e This option, together with the _i_d arguments specify one or more processes whose security-flags will be modified. The interpretation of the _i_d arguments is based on _i_d_t_y_p_e. If _i_d_t_y_p_e is omitted the default is ppiidd. Valid _i_d_t_y_p_e options are: aallll The ppsseeccffllaaggss command applies to all processes ccoonnttrraacctt, ccttiidd The security-flags of any process with a contract ID matching the _i_d arguments are modified. ggrroouupp, ggiidd The security-flags of any process with a group ID matching the _i_d arguments are modified. ppiidd The security-flags of any process with a process ID matching the _i_d arguments are modified. This is the default. ppppiidd The security-flags of any processes whose parent process ID matches the _i_d arguments are modified. pprroojjeecctt, pprroojjiidd The security-flags of any process whose project ID matches the _i_d arguments are modified. sseessssiioonn, ssiidd The security-flags of any process whose session ID matches the _i_d arguments are modified. ttaasskkiidd The security-flags of any process whose task ID matches the _i_d arguments are modified. uusseerr, uuiidd The security-flags of any process belonging to the users matching the _i_d arguments are modified. zzoonnee, zzoonneeiidd The security-flags of any process running in the zones matching the given _i_d arguments are modified. --ll List all supported process security-flags, described in sseeccuurriittyy--ffllaaggss(5). --ss _s_p_e_c_i_f_i_c_a_t_i_o_n Modify the process security-flags according to _s_p_e_c_i_f_i_c_a_t_i_o_n. Specifications take the form of a comma- separated list of flags, optionally preceded by a '-' or '!'. Where '-' and '!' indicate that the given flag should be removed from the specification. The pseudo-flags "all", "none" and "current" are supported, to indicate that all flags, no flags, or the current set of flags (respectively) are to be included. By default, the inheritable flags are changed. You may optionally specify the set to change using their single- letter identifiers and an equals sign. For a list of valid security-flags, see ppsseeccffllaaggss --ll. EEXXAAMMPPLLEESS EExxaammppllee 11 Display the security-flags of the current shell. example$ ppsseeccffllaaggss $$$$ 100718: -sh E: aslr I: aslr L: none U: aslr,forbidnullmap,noexecstack EExxaammppllee 22 Run a user command with ASLR enabled in addition to any inherited security flags. example$ ppsseeccffllaaggss --ss ccuurrrreenntt,,aassllrr --ee //bbiinn//sshh $ psecflags $$ 100724: -sh E: none I: aslr L: none U: aslr,forbidnullmap,noexecstack EExxaammppllee 33 Remove aslr from the inheritable flags of all Bob's processes. example# ppsseeccffllaaggss --ss ccuurrrreenntt,,--aassllrr --ii uuiidd bboobb EExxaammppllee 44 Add the aslr flag to the lower set, so that all future child processes must have this flag set. example# ppsseeccffllaaggss --ss LL==ccuurrrreenntt,,aassllrr $$$$ EEXXIITT SSTTAATTUUSS The following exit values are returned: 00 Success. nnoonn--zzeerroo An error has occurred. AATTTTRRIIBBUUTTEESS See aattttrriibbuutteess(5) for descriptions of the following attributes: +--------------------+-----------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +--------------------+-----------------+ |Interface Stability | Volatile | +--------------------+-----------------+ SSEEEE AALLSSOO eexxeecc(2), aattttrriibbuutteess(5), ccoonnttrraacctt(4), sseeccuurriittyy--ffllaaggss(5), zzoonneess(5) June 6, 2016 PSECFLAGS(1)