svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
setpflags(2)
getpflags(2) System Calls getpflags(2)
NAME
getpflags, setpflags - get or set process flags
SYNOPSIS
#include <sys/types.h>
#include <priv.h>
uint_t getpflags(uint_t flag);
int setpflags(uint_t flag, uint_t value);
DESCRIPTION
The getpflags() and setpflags() functions obtain and modify the current
per-process flags.
The following values for flag are supported:
PRIV_AWARE
This one bit flag takes the value of 0 (unset) or 1 (set). Only if
this flag is set is the current process privilege-aware. A process
can attempt to unset this flag but might fail silently if the
observed set invariance condition cannot be met. Setting this flag
is always successful.
When the PRIV_AWARE flag is set or unset, the observed effective
and permitted set do not change. When setting PRIV_AWARE, this is
possible but it is not always possible when PRIV_AWARE is unset.
For more information, see the privileges(7) man page.
PRIV_AWARE_RESET
This one bit flag takes the value of 0 (unset) or 1 (set). This
causes a process to pretend it is non-privilege aware. The effec‐
tive and permitted privilege set change on the change of the effec‐
tive uid. When all the uid sets become the same through setuid(uid)
or through setreuid(uid, uid), the effective and permitted set are
set to the intersection between the limit set and the inheritable
set. At that point, both PRIV_AWARE and PRIV_AWARE_RESET are unset.
This flag gets automatically reset when a file becomes privilege
aware, either through calling setppriv(2) or by setting PRIV_AWARE
to 1.
PRIV_DEBUG
This one bit flag takes the value of 0 (unset) or 1 (set). Only if
this flag is set does the current process have privilege debugging
enabled. Processes can set and unset this flag at will.
PRIV_PFEXEC
This one-bit flag takes the value of 0 (unset) or 1 (set). Only if
this flag is set is the current process a profile shell. Every time
exec(2) is called, the exec_attr(5) database for the current user's
profiles database is queried and the appropriate attributes are
applied to the new program. PRIV_PFEXEC is inherited except when
the real UID is changed as a result of the applied attributes.
PRIV_PFEXEC_AUTH
This one-bit flag takes the value of 0 (unset) or 1 (set). The flag
is set when the user successfully reauthenticates prior to execut‐
ing a command which matches an entry in the user's authenticated
profiles set, and the PRIV_PFEXEC flag is already set in the parent
process. When these two flags are set, the process can execute com‐
mands which match the exec_attr(5) database for the user's authen‐
ticated profiles set, without subsequent reauthentication.
PRIV_PFEXEC_AUTH is inherited except when the real UID is changed
as a result of the applied attributes. The privilege
PRIV_PROC_SETID is required to set this flag.
PRIV_PROC_TPD
This one-bit flag takes the value of 0 (unset) or 1 (set). This bit
has no meaning outside of an immutable zone. In an immutable zone,
this process is allowed to modify files which are MWAC protected,
such as updating the system or changing over to a new boot environ‐
ment. This process will be prevented from opening files which can
be modified by processes with this flag set unless PRIV_TPD_UNSAFE
is set.
PRIV_PROC_TPD_RESET
This one-bit flag takes the value of 0 (unset) or 1 (set). When a
process is set, the PRIV_PROC_TPD will be reset on exec(). For more
information, see the exec(2) man page.
PRIV_TPD_KILLABLE
This one-bit flag takes the value of 0 (unset) or 1 (set). Nor‐
mally, a process in the Trusted Path cannot receive any signals
outside of the Trusted Path. When this bit is set, the system will
forward signals from a non-TPD process.
PRIV_TPD_UNSAFE
This one-bit flag takes the value of 0 (unset) or 1 (set). This bit
has no meaning outside of an immutable zone. If this flag is set in
a TPD process it will read files which can be modified by all priv‐
ileged process in the zone or can open STREAM devices, doors, and
pipes when the peer is not a TPD process.
PRIV_XPOLICY
This one-bit flag takes the value of 0 (unset) or 1 (set). Only if
this flag is set does the current process honor its Extended Policy
(see privileges(7)).
NET_MAC_AWARE
NET_MAC_AWARE_INHERIT
These flags are available only if the system is configured with
Trusted Extensions. These one bit flags each take the value of 0
(unset) or 1 (set). If the NET_MAC_AWARE flag is set then the cur‐
rent process is allowed to communicate with peers at labels that
are different than its own, subject to MAC policy.
The NET_MAC_AWARE_INHERIT flag controls the propagation of the
NET_MAC_AWARE flag. When a process performs one of the exec(2)
functions, the NET_MAC_AWARE flag is unset unless the
NET_MAC_AWARE_INHERIT is set. NET_MAC_AWARE_INHERIT is always unset
on one of the exec functions. The PRIV_NET_MAC_AWARE privilege is
required to set either of these flags.
PRIV_PROC_SENSITIVE
This one bit flag takes the value of 0 (unset) or 1 (set). If this
flag is set, it is assumed that the process contains sensitive data
and non-privileged users cannot observe it through proc tools, can‐
not truss it, and cannot dump its core. Processes can set and unset
this flag at will. For more information, see the proc(1) and
ppriv(1) man pages.
This flag can be set automatically for the process, typically when
a privileged process performs setuid or setgid. Unsetting the flag
can expose potentially sensitive data to a wider range of users.
Historically this flag was known as SNOCD (no coredump).
RETURN VALUES
The getpflags() returns the value associated with a given per-process
flag. If the flag argument is invalid, (uint_t)-1 is returned and errno
is set to indicate the error.
Upon successful completion, setpflags() returns 0. Otherwise, -1 is
returned and errno is set to indicate the error.
ERRORS
The getpflags() and setpflags() functions will fail if:
EINVAL The value of flag or the value to which the flag is set is
out of range.
The setpflags() function will fail if:
EPERM An attempt was made to unset PRIV_PFEXEC.
An attempt was made to unset PRIV_AWARE but the observed set
invariance condition was not met.
An attempt was made to set NET_MAC_AWARE, PRIV_PFEXEC_AUTH,
NET_MAC_AWARE_INHERIT, or PRIV_PROC_TPD without sufficient
privileges.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Interface StabilityCommitted _ MT-LevelAsync-Signal-
Safe
SEE ALSO
ppriv(1), exec(2), kill(2), setppriv(2), attributes(7), privileges(7),
tpd(7)
Oracle Solaris 11.4 3 Nov 2021 getpflags(2)