Print this page
sync further changes from uts/aslr
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1/psecflags.1.man.txt
+++ new/usr/src/man/man1/psecflags.1.man.txt
1 1 PSECFLAGS(1) User Commands PSECFLAGS(1)
2 2
3 3
4 4
5 5 NAME
6 6 psecflags - inspect or modify process security flags
7 7
8 8 SYNOPSIS
9 9 /usr/bin/psecflags -s spec -e command [arg]...
10 10
11 11 /usr/bin/psecflags -s spec [-i idtype] id ...
12 12
13 13 /usr/bin/psecflags [-F] { pid | core }
14 14
15 15 /usr/bin/psecflags -l
16 16
17 17
18 18 DESCRIPTION
19 19 The first invocation of the psecflags command runs the specified
20 20 command with the security-flags modified as described by the -s
21 21 argument.
22 22
23 23 The second invocation modifies the security-flags of the processes
24 24 described by idtype and id according as described by the -s argument.
25 25
26 26 The third invocation describes the security-flags of the specified
27 27 processes or core files. The effective set is signified by 'E', the
28 28 inheritable set by 'I', the lower set by 'L', and the upper set by 'U'.
29 29
30 30 The fourth invocation lists the supported process security-flags,
31 31 documented in security-flags(5).
32 32
33 33
34 34 OPTIONS
35 35 The following options are supported:
36 36
37 37 -e
38 38 Interpret the remaining arguments as a command line and run
39 39 the command with the security-flags specified with the -s
40 40 flag.
41 41
42 42
43 43 -F
44 44 Force. Grab the target process even if another process has
45 45 control.
46 46
47 47
48 48 -i idtype
49 49 This option, together with the id arguments specify one or
50 50 more processes whose security-flags will be modified. The
51 51 interpretation of the id arguments is based on idtype. If
52 52 idtype is omitted the default is pid.
53 53
54 54 Valid idtype options are:
55 55
56 56 all
57 57 The psecflags command applies to all processes
58 58
59 59
60 60 contract, ctid
61 61 The security-flags of any process with a contract
62 62 ID matching the id arguments are modified.
63 63
64 64
65 65 group, gid
66 66 The security-flags of any process with a group ID
67 67 matching the id arguments are modified.
68 68
69 69
70 70 pid
71 71 The security-flags of any process with a process
72 72 ID matching the id arguments are modified. This
73 73 is the default.
74 74
75 75
76 76 ppid
77 77 The security-flags of any processes whose parent
78 78 process ID matches the id arguments are modified.
79 79
80 80
81 81 project, projid
82 82 The security-flags of any process whose project
83 83 ID matches the id arguments are modified.
84 84
85 85
86 86 session, sid
87 87 The security-flags of any process whose session
88 88 ID matches the id arguments are modified.
89 89
90 90
91 91 taskid
92 92 The security-flags of any process whose task ID
93 93 matches the id arguments are modified.
94 94
95 95
96 96 user, uid
97 97 The security-flags of any process belonging to
98 98 the users matching the id arguments are modified.
99 99
100 100
101 101 zone, zoneid
102 102 The security-flags of any process running in the
103 103 zones matching the given id arguments are
104 104 modified.
105 105
106 106
107 107 -l
108 108 List all supported process security-flags, described in
109 109 security-flags(5).
110 110
111 111
112 112 -s specification
113 113 Modify the process security-flags according to
114 114 specification. Specifications take the form of a comma-
115 115 separated list of flags, optionally preceded by a '-' or
116 116 '!'. Where '-' and '!' indicate that the given flag should
117 117 be removed from the specification. The pseudo-flags "all",
118 118 "none" and "current" are supported, to indicate that all
119 119 flags, no flags, or the current set of flags (respectively)
120 120 are to be included.
121 121
122 122 By default, the inheritable flags are changed. You may
123 123 optionally specify the set to change using their single-
124 124 letter identifiers and an equals sign.
125 125
126 126 For a list of valid security-flags, see psecflags -l.
127 127
128 128
129 129 EXAMPLES
130 130 Example 1 Display the security-flags of the current shell.
131 131
132 132 example$ psecflags $$
133 133 100718: -sh
134 134 E: aslr
135 135 I: aslr
136 136 L: none
137 137 U: aslr,forbidnullmap,noexecstack
138 138
139 139
140 140
141 141 Example 2 Run a user command with ASLR enabled in addition to any
142 142 inherited security flags.
143 143
144 144 example$ psecflags -s current,aslr -e /bin/sh
145 145 $ psecflags $$
146 146 100724: -sh
147 147 E: none
148 148 I: aslr
149 149 L: none
150 150 U: aslr,forbidnullmap,noexecstack
151 151
152 152
153 153
154 154 Example 3 Remove aslr from the inheritable flags of all Bob's
155 155 processes.
156 156
157 157 example# psecflags -s current,-aslr -i uid bob
158 158
159 159
160 160 Example 4 Add the aslr flag to the lower set, so that all future child
161 161 processes must have this flag set.
162 162
163 163 example# psecflags -s L=current,aslr $$
164 164
165 165
166 166 EXIT STATUS
|
↓ open down ↓ |
166 lines elided |
↑ open up ↑ |
167 167 The following exit values are returned:
168 168
169 169
170 170 0
171 171
172 172 Success.
173 173
174 174
175 175 non-zero
176 176
177 - An error has occured.
177 + An error has occurred.
178 178
179 179
180 180 ATTRIBUTES
181 181 See attributes(5) for descriptions of the following attributes:
182 182
183 183
184 184
185 185
186 186 +--------------------+-----------------+
187 187 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
188 188 +--------------------+-----------------+
189 189 |Interface Stability | Volatile |
190 190 +--------------------+-----------------+
191 191
192 192 SEE ALSO
193 193 exec(2), attributes(5), contract(4), security-flags(5), zones(5)
194 194
195 195
196 196
197 197 June 6, 2016 PSECFLAGS(1)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX