1 '\" te 2 .\" This file and its contents are supplied under the terms of the 3 .\" Common Development and Distribution License ("CDDL"), version 1.0. 4 .\" You may only use this file in accordance with the terms of version 5 .\" 1.0 of the CDDL. 6 .\" 7 .\" A full copy of the text of the CDDL should have accompanied this 8 .\" source. A copy of the CDDL is also available via the Internet at 9 .\" http://www.illumos.org/license/CDDL. 10 .\" 11 .\" Copyright 2015, Richard Lowe. 12 .\" 13 .TH "PSECFLAGS" "1" "June 6, 2016" 14 .SH "NAME" 15 \fBpsecflags\fR - inspect or modify process security flags 16 .SH "SYNOPSIS" 17 .LP 18 .nf 19 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR \ 20 [\fIarg\fR]... 21 .fi 22 .LP 23 .nf 24 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR] \ 25 \fIid\fR ... 26 .fi 27 .LP 28 .nf 29 \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR } 30 .fi 31 .LP 32 .nf 33 \fB/usr/bin/psecflags\fR \fI-l\fR 34 .fi 35 36 .SH "DESCRIPTION" 37 The first invocation of the \fBpsecflags\fR command runs the specified 38 \fIcommand\fR with the security-flags modified as described by the \fI-s\fR 39 argument. 40 .P 41 The second invocation modifies the security-flags of the processes described 42 by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument. 43 .P 44 The third invocation describes the security-flags of the specified processes 45 or core files. The effective set is signified by '\fBE\fR', the inheritable 46 set by '\fBI\fR', the lower set by '\fBL\fR', and the upper set by '\fBU\fR'. 47 .P 48 The fourth invocation lists the supported process security-flags, documented 49 in \fBsecurity-flags\fR(5). 50 51 .SH "OPTIONS" 52 The following options are supported: 53 .sp 54 .ne 2 55 .na 56 \fB-e\fR 57 .ad 58 .RS 11n 59 Interpret the remaining arguments as a command line and run the command with 60 the security-flags specified with the \fI-s\fR flag. 61 .RE 62 63 .sp 64 .ne 2 65 .na 66 \fB-F\fR 67 .ad 68 .RS 11n 69 Force. Grab the target process even if another process has control. 70 .RE 71 72 .sp 73 .ne 2 74 .na 75 \fB-i\fR \fIidtype\fR 76 .ad 77 .RS 11n 78 This option, together with the \fIid\fR arguments specify one or more 79 processes whose security-flags will be modified. The interpretation of the 80 \fIid\fR arguments is based on \fIidtype\fR. If \fIidtype\fR is omitted the 81 default is \fBpid\fR. 82 83 Valid \fIidtype\fR options are: 84 .sp 85 .ne 2 86 .na 87 \fBall\fR 88 .ad 89 .RS 11n 90 The \fBpsecflags\fR command applies to all processes 91 .RE 92 93 .sp 94 .ne 2 95 .na 96 \fBcontract\fR, \fBctid\fR 97 .ad 98 .RS 11n 99 The security-flags of any process with a contract ID matching the \fIid\fR 100 arguments are modified. 101 .RE 102 103 .sp 104 .ne 2 105 .na 106 \fBgroup\fR, \fBgid\fR 107 .ad 108 .RS 11n 109 The security-flags of any process with a group ID matching the \fIid\fR 110 arguments are modified. 111 .RE 112 113 .sp 114 .ne 2 115 .na 116 \fBpid\fR 117 .ad 118 .RS 11n 119 The security-flags of any process with a process ID matching the \fIid\fR 120 arguments are modified. This is the default. 121 .RE 122 123 .sp 124 .ne 2 125 .na 126 \fBppid\fR 127 .ad 128 .RS 11n 129 The security-flags of any processes whose parent process ID matches the 130 \fIid\fR arguments are modified. 131 .RE 132 133 .sp 134 .ne 2 135 .na 136 \fBproject\fR, \fBprojid\fR 137 .ad 138 .RS 11n 139 The security-flags of any process whose project ID matches the \fIid\fR 140 arguments are modified. 141 .RE 142 143 .sp 144 .ne 2 145 .na 146 \fBsession\fR, \fBsid\fR 147 .ad 148 .RS 11n 149 The security-flags of any process whose session ID matches the \fIid\fR 150 arguments are modified. 151 .RE 152 153 .sp 154 .ne 2 155 .na 156 \fBtaskid\fR 157 .ad 158 .RS 11n 159 The security-flags of any process whose task ID matches the \fIid\fR arguments 160 are modified. 161 .RE 162 163 .sp 164 .ne 2 165 .na 166 \fBuser\fR, \fBuid\fR 167 .ad 168 .RS 11n 169 The security-flags of any process belonging to the users matching the \fIid\fR 170 arguments are modified. 171 .RE 172 173 .sp 174 .ne 2 175 .na 176 \fBzone\fR, \fBzoneid\fR 177 .ad 178 .RS 11n 179 The security-flags of any process running in the zones matching the given 180 \fIid\fR arguments are modified. 181 .RE 182 .RE 183 184 .sp 185 .ne 2 186 .na 187 \fB-l\fR 188 .ad 189 .RS 11n 190 List all supported process security-flags, described in 191 \fBsecurity-flags\fR(5). 192 .RE 193 194 .sp 195 .ne 2 196 .na 197 \fB-s\fR \fIspecification\fR 198 .ad 199 .RS 11n 200 Modify the process security-flags according to 201 \fIspecification\fR. Specifications take the form of a comma-separated list of 202 flags, optionally preceded by a '-' or '!'. Where '-' and '!' indicate that the 203 given flag should be removed from the specification. The pseudo-flags "all", 204 "none" and "current" are supported, to indicate that all flags, no flags, or 205 the current set of flags (respectively) are to be included. 206 .P 207 By default, the inheritable flags are changed. You may optionally specify the 208 set to change using their single-letter identifiers and an equals sign. 209 .P 210 For a list of valid security-flags, see \fBpsecflags -l\fR. 211 .RE 212 213 .SH "EXAMPLES" 214 .LP 215 \fBExample 1\fR Display the security-flags of the current shell. 216 .sp 217 .in +2 218 .nf 219 example$ \fBpsecflags $$\fR 220 100718: -sh 221 E: aslr 222 I: aslr 223 L: none 224 U: aslr,forbidnullmap,noexecstack 225 .fi 226 .in -2 227 .sp 228 229 .LP 230 \fBExample 2\fR Run a user command with ASLR enabled in addition to any 231 inherited security flags. 232 .sp 233 .in +2 234 .nf 235 example$ \fBpsecflags -s current,aslr -e /bin/sh\fR 236 $ psecflags $$ 237 100724: -sh 238 E: none 239 I: aslr 240 L: none 241 U: aslr,forbidnullmap,noexecstack 242 .fi 243 .in -2 244 .sp 245 246 .LP 247 \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes. 248 .sp 249 .in +2 250 .nf 251 example# \fBpsecflags -s current,-aslr -i uid bob\fR 252 .fi 253 .in -2 254 255 .LP 256 \fBExample 4\fR Add the aslr flag to the lower set, so that all future 257 child processes must have this flag set. 258 .sp 259 .in +2 260 .nf 261 example# \fBpsecflags -s L=current,aslr $$\fR 262 .fi 263 .in -2 264 265 .SH "EXIT STATUS" 266 The following exit values are returned: 267 268 .TP 269 \fB0\fR 270 .IP 271 Success. 272 273 .TP 274 \fBnon-zero\fR 275 .IP 276 An error has occurred. 277 278 .SH "ATTRIBUTES" 279 .LP 280 See \fBattributes\fR(5) for descriptions of the following attributes: 281 .sp 282 283 .sp 284 .TS 285 box; 286 c | c 287 l | l . 288 ATTRIBUTE TYPE ATTRIBUTE VALUE 289 _ 290 Interface Stability Volatile 291 .TE 292 293 .SH "SEE ALSO" 294 .BR exec (2), 295 .BR attributes (5), 296 .BR contract (4), 297 .BR security-flags (5), 298 .BR zones (5)