1 PSECFLAGS(1) User Commands PSECFLAGS(1)
2
3
4
5 NAME
6 psecflags - inspect or modify process security flags
7
8 SYNOPSIS
9 /usr/bin/psecflags -s spec -e command
10 [arg]...
11
12 /usr/bin/psecflags -s spec [-i idtype]
13 id ...
14
15 /usr/bin/psecflags [-F] { pid | core }
16
17 /usr/bin/psecflags -l
18
19
20 DESCRIPTION
21 The first invocation of the psecflags command runs the specified
22 command with the security-flags modified as described by the -s
23 argument.
24
25 The second invocation modifies the security-flags of the processes
26 described by idtype and id according as described by the -s argument.
27
28 The third invocation describes the security-flags of the specified
29 processes or core files. The effective set is signified by 'E', the
30 inheritable set by 'I', the lower set by 'L', and the upper set by 'U'.
31
32 The fourth invocation lists the supported process security-flags,
33 documented in security-flags(5).
34
35
36 OPTIONS
37 The following options are supported:
38
39 -e
40 Interpret the remaining arguments as a command line and run
41 the command with the security-flags specified with the -s
42 flag.
43
44
45 -F
46 Force. Grab the target process even if another process has
47 control.
48
49
50 -i idtype
51 This option, together with the id arguments specify one or
52 more processes whose security-flags will be modified. The
53 interpretation of the id arguments is based on idtype. If
54 idtype is omitted the default is pid.
55
56 Valid idtype options are:
57
58 all
59 The psecflags command applies to all processes
60
61
62 contract, ctid
63 The security-flags of any process with a contract
64 ID matching the id arguments are modified.
65
66
67 group, gid
68 The security-flags of any process with a group ID
69 matching the id arguments are modified.
70
71
72 pid
73 The security-flags of any process with a process
74 ID matching the id arguments are modified. This
75 is the default.
76
77
78 ppid
79 The security-flags of any processes whose parent
80 process ID matches the id arguments are modified.
81
82
83 project, projid
84 The security-flags of any process whose project
85 ID matches the id arguments are modified.
86
87
88 session, sid
89 The security-flags of any process whose session
90 ID matches the id arguments are modified.
91
92
93 taskid
94 The security-flags of any process whose task ID
95 matches the id arguments are modified.
96
97
98 user, uid
99 The security-flags of any process belonging to
100 the users matching the id arguments are modified.
101
102
103 zone, zoneid
104 The security-flags of any process running in the
105 zones matching the given id arguments are
106 modified.
107
108
109 -l
110 List all supported process security-flags, described in
111 security-flags(5).
112
113
114 -s specification
115 Modify the process security-flags according to
116 specification. Specifications take the form of a comma-
117 separated list of flags, optionally preceded by a '-' or
118 '!'. Where '-' and '!' indicate that the given flag should
119 be removed from the specification. The pseudo-flags "all",
120 "none" and "current" are supported, to indicate that all
121 flags, no flags, or the current set of flags (respectively)
122 are to be included.
123
124 By default, the inheritable flags are changed. You may
125 optionally specify the set to change using their single-
126 letter identifiers and an equals sign.
127
128 For a list of valid security-flags, see psecflags -l.
129
130
131 EXAMPLES
132 Example 1 Display the security-flags of the current shell.
133
134 example$ psecflags $$
135 100718: -sh
136 E: aslr
137 I: aslr
138 L: none
139 U: aslr, forbidnullmap, noexecstack
140
141
142
143 Example 2 Run a user command with ASLR enabled in addition to any
144 inherited security flags.
145
146 example$ psecflags -s current,aslr -e /bin/sh
147 $ psecflags $$
148 100724: -sh
149 E: none
150 I: aslr
151 L: none
152 U: aslr, forbidnullmap, noexecstack
153
154
155
156 Example 3 Remove aslr from the inheritable flags of all Bob's
157 processes.
158
159 example# psecflags -s current,-aslr -i uid bob
160
161
162 Example 4 Add the aslr flag to the lower set, so that all future child
163 processes must have this flag set.
164
165 example# psecflags -s L=current,aslr $$
166
167
168 EXIT STATUS
169 The following exit values are returned:
170
171
172 0
173
174 Success.
175
176
177 non-zero
178
179 An error has occured.
180
181
182 ATTRIBUTES
183 See attributes(5) for descriptions of the following attributes:
184
185
186
187
188 +--------------------+-----------------+
189 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
190 +--------------------+-----------------+
191 |Interface Stability | Volatile |
192 +--------------------+-----------------+
193
194 SEE ALSO
195 exec(2), attributes(5), contract(4), security-flags(5), zones(5)
196
197
198
199 May 3, 2014 PSECFLAGS(1)