secflag-zone-defaults Sdiff usr/src/man/man5/security-flags.5

Print this page

smf: switch to a tri-state for process-security properties true=on,false=off,nil=default

  61 Forbid mappings at NULL (\fBFORBIDNULLMAP\fR)
  62 .ad
  63 .RS 11n
  64 Mappings with an address of 0 are forbidden, and return EINVAL rather than
  65 being honored.
  66 .RE
  67 
  68 .sp
  69 .ne 2
  70 .na
  71 Make the userspace stack non-executable (\fBNOEXECSTACK\fR)
  72 .ad
  73 .RS 11n
  74 The stack will be mapped without executable permission, and attempts to
  75 execute it will fault.
  76 .RE
  77 
  78 System default security-flags are configured via properties on the
  79 \fBsvc:/system/process-security\fR service, which contains a boolean property
  80 per-flag in the \fBdefault\fR, \fBlower\fR and \fBupper\fR, property groups.
  81 For example, to enable ASLR by default you would execute the following
  82 commands:

  83 .sp
  84 .in +2
  85 .nf
  86 # svccfg -s svc:/system/process-security setprop default/aslr = true
  87 .fi
  88 .in -2
  89 .sp
  90 .P









  91 This can be done by any user with the \fBsolaris.smf.value.process-security\fR
  92 authorization.
  93 .P
  94 Since security-flags are strictly inherited, this will not take effect until
  95 the system or zone is next booted.
  96 
  97 .SH "SEE ALSO"
  98 .BR psecflags (1),
  99 .BR svccfg (1M),
 100 .BR brk (2),
 101 .BR exec (2),
 102 .BR mmap (2),
 103 .BR mmapobj (2),
 104 .BR privileges (5),
 105 .BR rbac (5)

  61 Forbid mappings at NULL (\fBFORBIDNULLMAP\fR)
  62 .ad
  63 .RS 11n
  64 Mappings with an address of 0 are forbidden, and return EINVAL rather than
  65 being honored.
  66 .RE
  67 
  68 .sp
  69 .ne 2
  70 .na
  71 Make the userspace stack non-executable (\fBNOEXECSTACK\fR)
  72 .ad
  73 .RS 11n
  74 The stack will be mapped without executable permission, and attempts to
  75 execute it will fault.
  76 .RE
  77 
  78 System default security-flags are configured via properties on the
  79 \fBsvc:/system/process-security\fR service, which contains a boolean property
  80 per-flag in the \fBdefault\fR, \fBlower\fR and \fBupper\fR, property groups.
  81 The value indicates the setting of the flag, flags with no value take their
  82 defaults.  For example, to enable ASLR by default you would execute the
  83 following commands:
  84 .sp
  85 .in +2
  86 .nf
  87 # svccfg -s svc:/system/process-security setprop default/aslr = true
  88 .fi
  89 .in -2
  90 .sp
  91 .P
  92 To restore the setting to the defaults you would execute:
  93 .sp
  94 .in +2
  95 .nf
  96 # svccfg -s svc:/system/process-security delpropvalue default/aslr true
  97 .fi
  98 .in -2
  99 .sp
 100 .P
 101 This can be done by any user with the \fBsolaris.smf.value.process-security\fR
 102 authorization.
 103 .P
 104 Since security-flags are strictly inherited, this will not take effect until
 105 the system or zone is next booted.
 106 
 107 .SH "SEE ALSO"
 108 .BR psecflags (1),
 109 .BR svccfg (1M),
 110 .BR brk (2),
 111 .BR exec (2),
 112 .BR mmap (2),
 113 .BR mmapobj (2),
 114 .BR privileges (5),
 115 .BR rbac (5)