summaryrefslogtreecommitdiff
path: root/usr/src/man/man5
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/man/man5')
-rw-r--r--usr/src/man/man5/Makefile1
-rw-r--r--usr/src/man/man5/privileges.513
-rw-r--r--usr/src/man/man5/security-flags.5115
-rw-r--r--usr/src/man/man5/smf_method.538
4 files changed, 152 insertions, 15 deletions
diff --git a/usr/src/man/man5/Makefile b/usr/src/man/man5/Makefile
index 896752d883..3faa1135cd 100644
--- a/usr/src/man/man5/Makefile
+++ b/usr/src/man/man5/Makefile
@@ -114,6 +114,7 @@ MANFILES= Intro.5 \
regex.5 \
regexp.5 \
resource_controls.5 \
+ security-flags.5 \
smf.5 \
smf_bootstrap.5 \
smf_method.5 \
diff --git a/usr/src/man/man5/privileges.5 b/usr/src/man/man5/privileges.5
index f7f332c613..ac613ccad5 100644
--- a/usr/src/man/man5/privileges.5
+++ b/usr/src/man/man5/privileges.5
@@ -4,7 +4,7 @@
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH PRIVILEGES 5 "April 9, 2016"
+.TH PRIVILEGES 5 "Jun 6, 2016"
.SH NAME
privileges \- process privilege model
.SH DESCRIPTION
@@ -582,6 +582,17 @@ including the RT class.
.sp
.ne 2
.na
+\fB\PRIV_PROC_SECFLAGS\fR
+.ad
+.sp .6
+.RS 4n
+Allow a process to manipulate the secflags of processes (subject to,
+additionally, the ability to signal that process).
+.RE
+
+.sp
+.ne 2
+.na
\fB\fBPRIV_PROC_SESSION\fR\fR
.ad
.sp .6
diff --git a/usr/src/man/man5/security-flags.5 b/usr/src/man/man5/security-flags.5
new file mode 100644
index 0000000000..2868d38d15
--- /dev/null
+++ b/usr/src/man/man5/security-flags.5
@@ -0,0 +1,115 @@
+.\"
+.\" This file and its contents are supplied under the terms of the
+.\" Common Development and Distribution License ("CDDL"), version 1.0.
+.\" You may only use this file in accordance with the terms of version
+.\" 1.0 of the CDDL.
+.\"
+.\" A full copy of the text of the CDDL should have accompanied this
+.\" source. A copy of the CDDL is also available via the Internet at
+.\" http://www.illumos.org/license/CDDL.
+.\"
+.\" Copyright 2015, Richard Lowe.
+.\"
+.TH "SECURITY-FLAGS" "5" "June 6, 2016"
+.SH "NAME"
+\fBsecurity-flags\fR - process security flags
+.SH "DESCRIPTION"
+Each process on an illumos system has an associated set of security-flags
+which describe additional per-process security and exploit mitigation
+features which are enabled for that process.
+.P
+There are four sets of these flags for each process, the effective set
+(abbreviated \fIE\fR) are the set which currently apply to the process and are
+immutable. The inheritable set (abbreviated \fII\fR) are the flags which will
+become effective the next time the process calls one of the \fBexec(2)\fR
+family of functions, and will be inherited as both the effective and
+inheritable sets by any child processes. The upper set (abbreviated \fIU\fR)
+specify the maximal flags that a process can have in its inheritable set. The
+lower set (abbreviated \fIL\fR) specify the minimal amount of flags that a
+process must have in its inheritable set. The inheritable set may be changed
+at any time, subject to permissions and the lower and upper sets.
+.P
+To change the security-flags of a process one must have both permissions
+equivalent to those required to send a signal to the process and have the
+\fBPRIV_PROC_SECFLAGS\fR privilege.
+.P
+Currently available features are:
+
+.sp
+.ne 2
+.na
+Address Space Layout Randomisation (\fBASLR\fR)
+.ad
+.RS 11n
+The base addresses of the stack, heap and shared library (including
+\fBld.so\fR) mappings are randomised, the bases of mapped regions other than
+those using \fBMAP_FIXED\fR are randomised.
+.P
+Currently, executable base addresses are \fInot\fR randomised, due to which
+the mitigation provided by this feature is currently limited.
+.P
+This flag may also be enabled by the presence of the \fBDT_SUNW_ASLR\fR
+dynamic tag in the \fB.dynamic\fR section of the executable file. If this
+tag has a value of 1, ASLR will be enabled. If the flag has a value of
+\fB0\fR ASLR will be disabled. If the tag is not present, the value of the
+ASLR flag will be inherited as normal.
+.RE
+
+.sp
+.ne 2
+.na
+Forbid mappings at NULL (\fBFORBIDNULLMAP\fR)
+.ad
+.RS 11n
+Mappings with an address of 0 are forbidden, and return EINVAL rather than
+being honored.
+.RE
+
+.sp
+.ne 2
+.na
+Make the userspace stack non-executable (\fBNOEXECSTACK\fR)
+.ad
+.RS 11n
+The stack will be mapped without executable permission, and attempts to
+execute it will fault.
+.RE
+
+System default security-flags are configured via properties on the
+\fBsvc:/system/process-security\fR service, which contains a boolean property
+per-flag in the \fBdefault\fR, \fBlower\fR and \fBupper\fR, property groups.
+The value indicates the setting of the flag, flags with no value take their
+defaults. For example, to enable ASLR by default you would execute the
+following commands:
+.sp
+.in +2
+.nf
+# svccfg -s svc:/system/process-security setprop default/aslr = true
+.fi
+.in -2
+.sp
+.P
+To restore the setting to the defaults you would execute:
+.sp
+.in +2
+.nf
+# svccfg -s svc:/system/process-security delpropvalue default/aslr true
+.fi
+.in -2
+.sp
+.P
+This can be done by any user with the \fBsolaris.smf.value.process-security\fR
+authorization.
+.P
+Since security-flags are strictly inherited, this will not take effect until
+the system or zone is next booted.
+
+.SH "SEE ALSO"
+.BR psecflags (1),
+.BR svccfg (1M),
+.BR brk (2),
+.BR exec (2),
+.BR mmap (2),
+.BR mmapobj (2),
+.BR privileges (5),
+.BR rbac (5)
diff --git a/usr/src/man/man5/smf_method.5 b/usr/src/man/man5/smf_method.5
index 818abb75b4..71a595aea0 100644
--- a/usr/src/man/man5/smf_method.5
+++ b/usr/src/man/man5/smf_method.5
@@ -3,11 +3,10 @@
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH SMF_METHOD 5 "May 20, 2009"
+.TH SMF_METHOD 5 "June 6, 2016"
.SH NAME
smf_method \- service management framework conventions for methods
.SH DESCRIPTION
-.sp
.LP
The class of services managed by \fBsvc.startd\fR(1M) in the service management
framework, \fBsmf\fR(5), consists of applications that fit a simple
@@ -17,7 +16,6 @@ with additional capabilities. The \fBsvc.startd\fR(1M) daemon and other
restarters require that the methods which activate, manipulate, or examine a
service instance follow the conventions described in this manual page.
.SS "Invocation form"
-.sp
.LP
The form of a method invocation is not dictated by convention. In some cases, a
method invocation might consist of the direct invocation of the daemon or other
@@ -43,7 +41,6 @@ A restarter might define other kinds of methods beyond those referenced in this
page. The conventions surrounding such extensions are defined by the restarter
and might not be identical to those given here.
.SS "Environment Variables"
-.sp
.LP
The restarter provides four environment variables to the method that determine
the context in which the method is invoked.
@@ -100,7 +97,6 @@ shell scripting to compose service methods in the include file described below.
The method context can cause other environment variables to be set as described
below.
.SS "Method Definition"
-.sp
.LP
A method is defined minimally by three properties in a propertygroup of type
\fBmethod\fR.
@@ -140,7 +136,6 @@ Method type. Currently always set to \fBmethod\fR.
A Method Context can be defined to further refine the execution environment of
the method. See the \fBMethod Context\fR section for more information.
.SS "Method Tokens"
-.sp
.LP
When defined in the \fBexec\fR string of the method by the restarter
\fBsvc.startd\fR, a set of tokens are parsed and expanded with appropriate
@@ -258,7 +253,6 @@ service implementation.
.RE
.SS "Exiting and Exit Status"
-.sp
.LP
The required behavior of a start method is to delay exiting until the service
instance is ready to answer requests or is otherwise functional.
@@ -298,7 +292,6 @@ Use of a precise exit code allows the responsible restarter to categorize an
error response as likely to be intermittent and worth pursuing restart or
permanent and request administrative intervention.
.SS "Timeouts"
-.sp
.LP
Each method can have an independent timeout, given in seconds. The choice of a
particular timeout should be based on site expectations for detecting a method
@@ -315,7 +308,6 @@ preferred, but is available for services that absolutely require it.
.LP
\fB-1 timeout_seconds\fR is also accepted, but is a deprecated specification.
.SS "Shell Programming Support"
-.sp
.LP
A set of environment variables that define the above exit status values is
provided with convenience shell functions in the file
@@ -349,7 +341,6 @@ fi
.LP
This example shows the use of both convenience functions that are provided.
.SS "Method Context"
-.sp
.LP
The service management facility offers a common mechanism set the context in
which the \fBfork\fR(2)-\fBexec\fR(2) model services execute.
@@ -463,6 +454,27 @@ launch the method. If the property is unset, \fB:home\fR is used.
.sp
.ne 2
.na
+\fB\fBsecurity_flags\fR\fR
+.ad
+.sp .6
+.RS 4n
+The security flags to apply when launching the method. See \fBsecurity-flags\fR(5).
+.sp
+.LP
+The "default" keyword specifies those flags specified in
+\fBsvc:/system/process-security\fR. The "all" keyword enables all flags, the
+"none" keyword enables no flags. The "current" keyword specifies the current
+flags. Flags may be added by specifying their name (optionally preceded
+by '+'), and removed by preceding their name with '-').
+.sp
+.LP
+Use of "all" has associated risks, as future versions of the system may
+include further flags which may harm poorly implemented software.
+.RE
+
+.sp
+.ne 2
+.na
\fB\fBcorefile_pattern\fR\fR
.ad
.sp .6
@@ -534,7 +546,6 @@ File descriptor \fB0\fR is \fB/dev/null\fR. File descriptors \fB1\fR and
.RE
.SH FILES
-.sp
.ne 2
.na
\fB\fB/lib/svc/share/smf_include.sh\fR\fR
@@ -555,15 +566,14 @@ Definitions of exit status codes.
.RE
.SH SEE ALSO
-.sp
.LP
\fBzonename\fR(1), \fBcoreadm\fR(1M), \fBinetd\fR(1M), \fBsvccfg\fR(1M),
\fBsvc.startd\fR(1M), \fBexec\fR(2), \fBfork\fR(2),
\fBgetdefaultproj\fR(3PROJECT), \fBexec_attr\fR(4), \fBproject\fR(4),
\fBservice_bundle\fR(4), \fBattributes\fR(5), \fBprivileges\fR(5),
-\fBrbac\fR(5), \fBsmf\fR(5), \fBsmf_bootstrap\fR(5), \fBzones\fR(5)
+\fBrbac\fR(5), \fBsmf\fR(5), \fBsmf_bootstrap\fR(5), \fBzones\fR(5),
+\fBsecurity-flags\fR(5)
.SH NOTES
-.sp
.LP
The present version of \fBsmf\fR(5) does not support multiple repositories.
.sp
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-21 09:50:27 +0000