This file and its contents are supplied under the terms of the
Common Development and Distribution License ("CDDL"), version 1.0.
You may only use this file in accordance with the terms of version
1.0 of the CDDL.
A full copy of the text of the CDDL should have accompanied this
source. A copy of the CDDL is also available via the Internet at
http://www.illumos.org/license/CDDL.
Copyright 2015, Richard Lowe.
/usr/bin/psecflags -s spec -e command \ [arg]...
/usr/bin/psecflags -s spec [-i idtype] \ id ...
/usr/bin/psecflags [-F] { pid | core }
/usr/bin/psecflags -l
The second invocation modifies the security-flags of the processes described by idtype and id according as described by the -s argument.
The third invocation describes the security-flags of the specified processes or core files. The effective set is signified by 'E', the inheritable set by 'I', the lower set by 'L', and the upper set by 'U'.
The fourth invocation lists the supported process security-flags, documented in security-flags(5).
Interpret the remaining arguments as a command line and run the command with the security-flags specified with the -s flag.
Force. Grab the target process even if another process has control.
This option, together with the id arguments specify one or more processes whose security-flags will be modified. The interpretation of the id arguments is based on idtype. If idtype is omitted the default is pid. Valid idtype options are: all
The psecflags command applies to all processes
The security-flags of any process with a contract ID matching the id arguments are modified.
The security-flags of any process with a group ID matching the id arguments are modified.
The security-flags of any process with a process ID matching the id arguments are modified. This is the default.
The security-flags of any processes whose parent process ID matches the id arguments are modified.
The security-flags of any process whose project ID matches the id arguments are modified.
The security-flags of any process whose session ID matches the id arguments are modified.
The security-flags of any process whose task ID matches the id arguments are modified.
The security-flags of any process belonging to the users matching the id arguments are modified.
The security-flags of any process running in the zones matching the given id arguments are modified.
List all supported process security-flags, described in security-flags(5).
Modify the process security-flags according to specification. Specifications take the form of a comma-separated list of flags, optionally preceded by a '-' or '!'. Where '-' and '!' indicate that the given flag should be removed from the specification. The pseudo-flags "all", "none" and "current" are supported, to indicate that all flags, no flags, or the current set of flags (respectively) are to be included.
By default, the inheritable flags are changed. You may optionally specify the set to change using their single-letter identifiers and an equals sign.
For a list of valid security-flags, see psecflags -l.
Example 1 Display the security-flags of the current shell.
example$ psecflags $$
100718: -sh
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
Example 2 Run a user command with ASLR enabled in addition to any inherited security flags.
example$ psecflags -s current,aslr -e /bin/sh
$ psecflags $$
100724: -sh
E: none
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
Example 3 Remove aslr from the inheritable flags of all Bob's processes.
example# psecflags -s current,-aslr -i uid bob
Example 4 Add the aslr flag to the lower set, so that all future child processes must have this flag set.
example# psecflags -s L=current,aslr $$
0
Success.non-zero
An error has occurred.See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE ATTRIBUTE VALUE |
| Interface Stability Volatile |