1 PSECFLAGS(1) User Commands PSECFLAGS(1)
2
3
4
5 NAME
6 psecflags - inspect or modify process security flags
7
8 SYNOPSIS
9 /usr/bin/psecflags -s spec -e command [arg]...
10
11 /usr/bin/psecflags -s spec [-i idtype] id ...
12
13 /usr/bin/psecflags [-F] { pid | core }
14
15 /usr/bin/psecflags -l
16
17
18 DESCRIPTION
19 The first invocation of the psecflags command runs the specified
20 command with the security-flags modified as described by the -s
21 argument.
22
23 The second invocation modifies the security-flags of the processes
24 described by idtype and id according as described by the -s argument.
25
26 The third invocation describes the security-flags of the specified
27 processes or core files. The effective set is signified by 'E', the
28 inheritable set by 'I', the lower set by 'L', and the upper set by 'U'.
29
30 The fourth invocation lists the supported process security-flags,
31 documented in security-flags(5).
32
33
34 OPTIONS
35 The following options are supported:
36
37 -e
38 Interpret the remaining arguments as a command line and run
39 the command with the security-flags specified with the -s
40 flag.
41
42
43 -F
44 Force. Grab the target process even if another process has
45 control.
46
47
48 -i idtype
49 This option, together with the id arguments specify one or
50 more processes whose security-flags will be modified. The
51 interpretation of the id arguments is based on idtype. If
52 idtype is omitted the default is pid.
53
54 Valid idtype options are:
55
56 all
57 The psecflags command applies to all processes
58
59
60 contract, ctid
61 The security-flags of any process with a contract
62 ID matching the id arguments are modified.
63
64
65 group, gid
66 The security-flags of any process with a group ID
67 matching the id arguments are modified.
68
69
70 pid
71 The security-flags of any process with a process
72 ID matching the id arguments are modified. This
73 is the default.
74
75
76 ppid
77 The security-flags of any processes whose parent
78 process ID matches the id arguments are modified.
79
80
81 project, projid
82 The security-flags of any process whose project
83 ID matches the id arguments are modified.
84
85
86 session, sid
87 The security-flags of any process whose session
88 ID matches the id arguments are modified.
89
90
91 taskid
92 The security-flags of any process whose task ID
93 matches the id arguments are modified.
94
95
96 user, uid
97 The security-flags of any process belonging to
98 the users matching the id arguments are modified.
99
100
101 zone, zoneid
102 The security-flags of any process running in the
103 zones matching the given id arguments are
104 modified.
105
106
107 -l
108 List all supported process security-flags, described in
109 security-flags(5).
110
111
112 -s specification
113 Modify the process security-flags according to
114 specification. Specifications take the form of a comma-
115 separated list of flags, optionally preceded by a '-' or
116 '!'. Where '-' and '!' indicate that the given flag should
117 be removed from the specification. The pseudo-flags "all",
118 "none" and "current" are supported, to indicate that all
119 flags, no flags, or the current set of flags (respectively)
120 are to be included.
121
122 By default, the inheritable flags are changed. You may
123 optionally specify the set to change using their single-
124 letter identifiers and an equals sign.
125
126 For a list of valid security-flags, see psecflags -l.
127
128
129 EXAMPLES
130 Example 1 Display the security-flags of the current shell.
131
132 example$ psecflags $$
133 100718: -sh
134 E: aslr
135 I: aslr
136 L: none
137 U: aslr,forbidnullmap,noexecstack
138
139
140
141 Example 2 Run a user command with ASLR enabled in addition to any
142 inherited security flags.
143
144 example$ psecflags -s current,aslr -e /bin/sh
145 $ psecflags $$
146 100724: -sh
147 E: none
148 I: aslr
149 L: none
150 U: aslr,forbidnullmap,noexecstack
151
152
153
154 Example 3 Remove aslr from the inheritable flags of all Bob's
155 processes.
156
157 example# psecflags -s current,-aslr -i uid bob
158
159
160 Example 4 Add the aslr flag to the lower set, so that all future child
161 processes must have this flag set.
162
163 example# psecflags -s L=current,aslr $$
164
165
166 EXIT STATUS
167 The following exit values are returned:
168
169
170 0
171
172 Success.
173
174
175 non-zero
176
177 An error has occurred.
178
179
180 ATTRIBUTES
181 See attributes(5) for descriptions of the following attributes:
182
183
184
185
186 +--------------------+-----------------+
187 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
188 +--------------------+-----------------+
189 |Interface Stability | Volatile |
190 +--------------------+-----------------+
191
192 SEE ALSO
193 exec(2), attributes(5), contract(4), security-flags(5), zones(5)
194
195
196
197 June 6, 2016 PSECFLAGS(1)