SECURITY-FLAGS(7) Device and Network Interfaces SECURITY-FLAGS(7)
- process security flags
Each process on an illumos system has an associated set of security-flags
which describe additional per-process security and exploit mitigation
features which are enabled for that process.
There are four sets of these flags for each process, the effective set
) are the set which currently apply to the process and are
immutable. The inheritable set (abbreviated I
) are the flags which will
become effective the next time the process calls one of the exec(2)
family of functions, and will be inherited as both the effective and
inheritable sets by any child processes. The upper set (abbreviated U
specify the maximal flags that a process can have in its inheritable set.
The lower set (abbreviated L
) specify the minimal amount of flags that a
process must have in its inheritable set. The inheritable set may be
changed at any time, subject to permissions and the lower and upper sets.
To change the security-flags of a process one must have both permissions
equivalent to those required to send a signal to the process and have the PRIV_PROC_SECFLAGS
Currently available features are:
Address Space Layout Randomisation (ASLR
The base addresses of the stack, heap and shared library
) mappings are randomised, the bases of mapped
regions other than those using MAP_FIXED
Currently, executable base addresses are not
to which the mitigation provided by this feature is currently
This flag may also be enabled by the presence of the DT_SUNW_ASLR
dynamic tag in the .dynamic
section of the
executable file. If this tag has a value of 1, ASLR will be
enabled. If the flag has a value of 0
ASLR will be disabled.
If the tag is not present, the value of the ASLR flag will be
inherited as normal.
Forbid mappings at NULL (FORBIDNULLMAP
Mappings with an address of 0 are forbidden, and return EINVAL
rather than being honored.
Make the userspace stack non-executable (NOEXECSTACK
The stack will be mapped without executable permission, and
attempts to execute it will fault.
System default security-flags are configured via properties on the svc:/system/process-security
service, which contains a boolean property
per-flag in the default
, property groups. The value
indicates the setting of the flag, flags with no value take their
defaults. For example, to enable ASLR by default you would execute the
# svccfg -s svc:/system/process-security setprop default/aslr = true
To restore the setting to the defaults you would execute:
# svccfg -s svc:/system/process-security delpropvalue default/aslr true
This can be done by any user with the solaris.smf.value.process-security
Since security-flags are strictly inherited, this will not take effect
until the system or zone is next booted.
SEE ALSO psecflags(1)
June 6, 2016 SECURITY-FLAGS(7)