Print this page 
smf: switch to a tri-state for process-security properties true=on,false=off,nil=default


  41 
  42                   This flag may also be enabled by the presence of the
  43                   DT_SUNW_ASLR dynamic tag in the .dynamic section of the
  44                   executable file. If this tag has a value of 1, ASLR will be
  45                   enabled. If the flag has a value of 0 ASLR will be disabled.
  46                   If the tag is not present, the value of the ASLR flag will
  47                   be inherited as normal.
  48 
  49 
  50        Forbid mappings at NULL (FORBIDNULLMAP)
  51                   Mappings with an address of 0 are forbidden, and return
  52                   EINVAL rather than being honored.
  53 
  54 
  55        Make the userspace stack non-executable (NOEXECSTACK)
  56                   The stack will be mapped without executable permission, and
  57                   attempts to execute it will fault.
  58 
  59        System default security-flags are configured via properties on the
  60        svc:/system/process-security service, which contains a boolean property
  61        per-flag in the default, lower and upper, property groups.  For
  62        example, to enable ASLR by default you would execute the following
  63        commands:

  64 
  65          # svccfg -s svc:/system/process-security setprop default/aslr = true
  66 
  67 





  68        This can be done by any user with the solaris.smf.value.process-
  69        security authorization.
  70 
  71        Since security-flags are strictly inherited, this will not take effect
  72        until the system or zone is next booted.
  73 
  74 
  75 SEE ALSO
  76        psecflags(1), svccfg(1M), brk(2), exec(2), mmap(2), mmapobj(2),
  77        privileges(5), rbac(5)
  78 
  79 
  80 
  81                                  June 6, 2016                SECURITY-FLAGS(5)



  41 
  42                   This flag may also be enabled by the presence of the
  43                   DT_SUNW_ASLR dynamic tag in the .dynamic section of the
  44                   executable file. If this tag has a value of 1, ASLR will be
  45                   enabled. If the flag has a value of 0 ASLR will be disabled.
  46                   If the tag is not present, the value of the ASLR flag will
  47                   be inherited as normal.
  48 
  49 
  50        Forbid mappings at NULL (FORBIDNULLMAP)
  51                   Mappings with an address of 0 are forbidden, and return
  52                   EINVAL rather than being honored.
  53 
  54 
  55        Make the userspace stack non-executable (NOEXECSTACK)
  56                   The stack will be mapped without executable permission, and
  57                   attempts to execute it will fault.
  58 
  59        System default security-flags are configured via properties on the
  60        svc:/system/process-security service, which contains a boolean property
  61        per-flag in the default, lower and upper, property groups.  The value
  62        indicates the setting of the flag, flags with no value take their
  63        defaults.  For example, to enable ASLR by default you would execute the
  64        following commands:
  65 
  66          # svccfg -s svc:/system/process-security setprop default/aslr = true
  67 
  68 
  69        To restore the setting to the defaults you would execute:
  70 
  71          # svccfg -s svc:/system/process-security delpropvalue default/aslr true
  72 
  73 
  74        This can be done by any user with the solaris.smf.value.process-
  75        security authorization.
  76 
  77        Since security-flags are strictly inherited, this will not take effect
  78        until the system or zone is next booted.
  79 
  80 
  81 SEE ALSO
  82        psecflags(1), svccfg(1M), brk(2), exec(2), mmap(2), mmapobj(2),
  83        privileges(5), rbac(5)
  84 
  85 
  86 
  87                                  June 6, 2016                SECURITY-FLAGS(5)