Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


 301         and modify process state to other processes regardless of
 302         ownership.  When modifying another process, additional
 303         restrictions apply:  the effective privilege set of the
 304         attaching process must be a superset of the target process'
 305         effective, permitted and inheritable sets; the limit set must
 306         be a superset of the target's limit set; if the target process
 307         has any uid set to 0 all privilege must be asserted unless the
 308         effective uid is 0.
 309         Allows a process to bind arbitrary processes to CPUs.
 310 
 311 privilege PRIV_PROC_PRIOUP
 312 
 313         Allows a process to elevate its priority above its current level.
 314 
 315 privilege PRIV_PROC_PRIOCNTL
 316 
 317         Allows all that PRIV_PROC_PRIOUP allows.
 318         Allows a process to change its scheduling class to any scheduling class,
 319         including the RT class.
 320 





 321 basic privilege PRIV_PROC_SESSION
 322 
 323         Allows a process to send signals or trace processes outside its
 324         session.
 325 
 326 unsafe privilege PRIV_PROC_SETID
 327 
 328         Allows a process to set its uids at will.
 329         Assuming uid 0 requires all privileges to be asserted.
 330 
 331 privilege PRIV_PROC_TASKID
 332 
 333         Allows a process to assign a new task ID to the calling process.
 334 
 335 privilege PRIV_PROC_ZONE
 336 
 337         Allows a process to trace or send signals to processes in
 338         other zones.
 339 
 340 privilege PRIV_SYS_ACCT




 301         and modify process state to other processes regardless of
 302         ownership.  When modifying another process, additional
 303         restrictions apply:  the effective privilege set of the
 304         attaching process must be a superset of the target process'
 305         effective, permitted and inheritable sets; the limit set must
 306         be a superset of the target's limit set; if the target process
 307         has any uid set to 0 all privilege must be asserted unless the
 308         effective uid is 0.
 309         Allows a process to bind arbitrary processes to CPUs.
 310 
 311 privilege PRIV_PROC_PRIOUP
 312 
 313         Allows a process to elevate its priority above its current level.
 314 
 315 privilege PRIV_PROC_PRIOCNTL
 316 
 317         Allows all that PRIV_PROC_PRIOUP allows.
 318         Allows a process to change its scheduling class to any scheduling class,
 319         including the RT class.
 320 
 321 basic privilege PRIV_PROC_SECFLAGS
 322 
 323         Allows a process to manipulate the secflags of processes (subject to,
 324         additionally, the ability to signal that process)
 325 
 326 basic privilege PRIV_PROC_SESSION
 327 
 328         Allows a process to send signals or trace processes outside its
 329         session.
 330 
 331 unsafe privilege PRIV_PROC_SETID
 332 
 333         Allows a process to set its uids at will.
 334         Assuming uid 0 requires all privileges to be asserted.
 335 
 336 privilege PRIV_PROC_TASKID
 337 
 338         Allows a process to assign a new task ID to the calling process.
 339 
 340 privilege PRIV_PROC_ZONE
 341 
 342         Allows a process to trace or send signals to processes in
 343         other zones.
 344 
 345 privilege PRIV_SYS_ACCT