PSECFLAGS(1) User Commands PSECFLAGS(1)
psecflags - inspect or modify process security flags
/usr/bin/psecflags -s spec -e command [arg]...
/usr/bin/psecflags -s spec [-i idtype] id ...
/usr/bin/psecflags [-F] { pid | core }
/usr/bin/psecflags -l
The first invocation of the psecflags command runs the specified
command with the security-flags modified as described by the -s
argument.
The second invocation modifies the security-flags of the processes
described by idtype and id according as described by the -s argument.
The third invocation describes the security-flags of the specified
processes or core files. The effective set is signified by 'E', the
inheritable set by 'I', the lower set by 'L', and the upper set by
'U'.
The fourth invocation lists the supported process security-flags,
documented in security-flags(7).
The following options are supported:
-e
Interpret the remaining arguments as a command line and
run the command with the security-flags specified with the
-s flag.
-F
Force. Grab the target process even if another process has
control.
-i idtype
This option, together with the id arguments specify one or
more processes whose security-flags will be modified. The
interpretation of the id arguments is based on idtype. If
idtype is omitted the default is pid.
Valid idtype options are:
all
The psecflags command applies to all processes
contract, ctid
The security-flags of any process with a
contract ID matching the id arguments are
modified.
group, gid
The security-flags of any process with a group
ID matching the id arguments are modified.
pid
The security-flags of any process with a
process ID matching the id arguments are
modified. This is the default.
ppid
The security-flags of any processes whose
parent process ID matches the id arguments are
modified.
project, projid
The security-flags of any process whose project
ID matches the id arguments are modified.
session, sid
The security-flags of any process whose session
ID matches the id arguments are modified.
taskid
The security-flags of any process whose task ID
matches the id arguments are modified.
user, uid
The security-flags of any process belonging to
the users matching the id arguments are
modified.
zone, zoneid
The security-flags of any process running in
the zones matching the given id arguments are
modified.
-l
List all supported process security-flags, described in
security-flags(7).
-s specification
Modify the process security-flags according to
specification. Specifications take the form of a comma-
separated list of flags, optionally preceded by a '-' or
'!'. Where '-' and '!' indicate that the given flag should
be removed from the specification. The pseudo-flags
"all", "none" and "current" are supported, to indicate
that all flags, no flags, or the current set of flags
(respectively) are to be included.
By default, the inheritable flags are changed. You may
optionally specify the set to change using their single-
letter identifiers and an equals sign.
For a list of valid security-flags, see psecflags -l.
example$ psecflags $$
100718: -sh
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
inherited security flags.
example$ psecflags -s current,aslr -e /bin/sh
$ psecflags $$
100724: -sh
E: none
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
processes.
example# psecflags -s current,-aslr -i uid bob
child processes must have this flag set.
example# psecflags -s L=current,aslr $$
The following exit values are returned:
0
Success.
non-zero
An error has occurred.
See attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Volatile |
+--------------------+-----------------+
exec(2), attributes(7), contract(5), security-flags(7), zones(7)
June 6, 2016 PSECFLAGS(1)
NAME
psecflags - inspect or modify process security flags
SYNOPSIS
/usr/bin/psecflags -s spec -e command [arg]...
/usr/bin/psecflags -s spec [-i idtype] id ...
/usr/bin/psecflags [-F] { pid | core }
/usr/bin/psecflags -l
DESCRIPTION
The first invocation of the psecflags command runs the specified
command with the security-flags modified as described by the -s
argument.
The second invocation modifies the security-flags of the processes
described by idtype and id according as described by the -s argument.
The third invocation describes the security-flags of the specified
processes or core files. The effective set is signified by 'E', the
inheritable set by 'I', the lower set by 'L', and the upper set by
'U'.
The fourth invocation lists the supported process security-flags,
documented in security-flags(7).
OPTIONS
The following options are supported:
-e
Interpret the remaining arguments as a command line and
run the command with the security-flags specified with the
-s flag.
-F
Force. Grab the target process even if another process has
control.
-i idtype
This option, together with the id arguments specify one or
more processes whose security-flags will be modified. The
interpretation of the id arguments is based on idtype. If
idtype is omitted the default is pid.
Valid idtype options are:
all
The psecflags command applies to all processes
contract, ctid
The security-flags of any process with a
contract ID matching the id arguments are
modified.
group, gid
The security-flags of any process with a group
ID matching the id arguments are modified.
pid
The security-flags of any process with a
process ID matching the id arguments are
modified. This is the default.
ppid
The security-flags of any processes whose
parent process ID matches the id arguments are
modified.
project, projid
The security-flags of any process whose project
ID matches the id arguments are modified.
session, sid
The security-flags of any process whose session
ID matches the id arguments are modified.
taskid
The security-flags of any process whose task ID
matches the id arguments are modified.
user, uid
The security-flags of any process belonging to
the users matching the id arguments are
modified.
zone, zoneid
The security-flags of any process running in
the zones matching the given id arguments are
modified.
-l
List all supported process security-flags, described in
security-flags(7).
-s specification
Modify the process security-flags according to
specification. Specifications take the form of a comma-
separated list of flags, optionally preceded by a '-' or
'!'. Where '-' and '!' indicate that the given flag should
be removed from the specification. The pseudo-flags
"all", "none" and "current" are supported, to indicate
that all flags, no flags, or the current set of flags
(respectively) are to be included.
By default, the inheritable flags are changed. You may
optionally specify the set to change using their single-
letter identifiers and an equals sign.
For a list of valid security-flags, see psecflags -l.
EXAMPLES
Example 1: Display the security-flags of the current shell.
example$ psecflags $$
100718: -sh
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
Example 2: Run a user command with ASLR enabled in addition to any
inherited security flags.
example$ psecflags -s current,aslr -e /bin/sh
$ psecflags $$
100724: -sh
E: none
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
Example 3: Remove aslr from the inheritable flags of all Bob's
processes.
example# psecflags -s current,-aslr -i uid bob
Example 4: Add the aslr flag to the lower set, so that all future
child processes must have this flag set.
example# psecflags -s L=current,aslr $$
EXIT STATUS
The following exit values are returned:
0
Success.
non-zero
An error has occurred.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Volatile |
+--------------------+-----------------+
SEE ALSO
exec(2), attributes(7), contract(5), security-flags(7), zones(7)
June 6, 2016 PSECFLAGS(1)