Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

getprocxsec(1m) [hpux man page]

getprocxsec(1M) 														   getprocxsec(1M)

NAME

       getprocxsec - display security attributes of a process

SYNOPSIS


DESCRIPTION

       The  command  displays security attributes associated with a running process.  These attributes include the permitted privilege set, effec-
       tive privilege set, retained privilege set, euid, and the compartment name.  See privileges(5) and compartments(5).

       Each process has a permitted privilege set, effective privilege set, and retained privilege set.  If the  compartmentalization  feature	is
       enabled,  it  also  has	a  compartment.   When	a process is created, the child process inherits these attributes from the parent.  When a
       process executes a binary, these attributes can be changed.  See setfilexsec(1M) and getfilexsec(1M) for information on how these  extended
       attributes can be manipulated at execution time.

       For  compatibility,  the  kernel handles processes with effective uid of zero in special ways.  If the compartmentalization feature is dis-
       abled, these processes are treated as though they have all root replacement privileges.	If, on the other  hand,  the  compartmentalization
       feature	is  enabled, these processes are treated as though they have all the root replacement privileges except those configured as disal-
       lowed privileges for the compartment.

   Options
       recognizes the following options:

	      Displays the compartment name of the process.
		   If compartments are not enabled, nothing is reported for this option.  If compartments are enabled, all  the  kernel  processes
		   would be reported as running in "RESERVED CMPT" .

	      Displays the implementation effective privilege set.

	      Displays the full form of the lists.

	      Displays the implementation permitted privilege set.

	      Display the implementation retained privilege set.

       If none of the above options are specified, the default is

   Operands
       recognizes the following operand:

	      pid  The	process ID of the process whose attributes are being displayed.  If pid is displays attributes of this process.  If pid is
		   it displays attributes of the process' parent.  If pid is not specified, it defaults to this process (equivalent to

   Security Restrictions
       The specified process must be visible to the user invoking this command or the user must have the privilege.

RETURN VALUE

       returns the following values:

	      Successful completion.
		   The attributes are displayed.

	      An error occurred.
		   An error can be caused by an invalid option or because the specified process is not visible to the user.

EXAMPLES

       Example 1: Display the privilege sets and compartment of the current process:

       Sample output:

	      effective= BASIC
	      permitted= BASIC
	      retained= BASIC
	      cmpt= init
	      euid= zero

       Example 2: Display the privilege sets and compartment of the parent process:

       Sample output:

	      effective= BASIC
	      permitted= BASIC
	      retained= BASIC
	      cmpt= init
	      euid= zero

       Example 3: Display the full privilege sets and compartment of an arbitrary process:

       Sample output:

	      effective= FORK EXEC SESSION LINKANY
	      permitted= FORK EXEC SESSION LINKANY
	      retained= FORK EXEC SESSION LINKANY
	      cmpt= web
	      euid= non-zero

SEE ALSO

       getfilexsec(1M), setfilexsec(1M), compartments(5), privileges(5).

																   getprocxsec(1M)

Check Out this Related Man Page

getrules(1M)															      getrules(1M)

NAME

       getrules - display compartment rules

SYNOPSIS


       [compartment_name]...

       interface_name[...]  ipaddr/mask[...]

       [interface_name...]  [IPaddress...]

DESCRIPTION

       displays rules defined for compartment(s) or network interface(s).  This command can only be used when compartmentalization is enabled (see
       cmpt_tune(1M)).

       If no options are specified, all subsystem rules for the given compartment are displayed.  If no compartment_name is specified, information
       on all compartments is displayed.

   Options
       recognizes the following options:

	      Displays all the compartments configured on the system.

	      Displays the file system rules for the compartment(s).

	      Displays the IPC system rules for the compartment(s).

	      Displays the compartment names associated with the
		   interface(s)  and  the  IP address/mask as set by a previous invocation of Either the interface_name or the ipaddr/mask must be
		   specified.  More than one interface_name and/or IPaddress can be specified.

	      Displays the compartment names associated with the logical
		   interface(s) and the IP addresses as applied by the kernel.	When interface rules conflict with each other, this option can	be
		   used  to find how the conflicts are resolved.  If no arguments are specified, information about all currently active interfaces
		   is displayed.

	      Displays the network system rules for the compartment(s).

	      Displays all the interface rules being applied by the kernel on
		   the specified compartment(s).  If no compartment name is specified all the interface rules being applied by the kernel  on  all
		   the existing compartments will be displayed.

	      Displays the disallowed privileges list in short form for compartment(s).
		   The short form includes compound privileges in the privilege list.

	      Displays the disallowed privileges list in literal form for compartment(s).
		   The literal form expands compound privileges in the privilege list.

	      Displays all the compartment rules of the specified compartment(s) in the
		   machine  parsable  format.	Using  the  ""	or "" command is useful when used in combination with discover mode.  See compart-
		   ments(5).

   Operands
       recognizes the following operands:
	      compartment_name Name of the compartment for which information is displayed.

	      interface_name
		     Name of the network interface for which information is displayed.

	      IPaddress
		     An IPv4 or IPv6 address

	      ipaddr/mask
		     An IPv4 address or an IPv6 address and the corresponding mask.

   Notes
       The command is provided for diagnostic purposes, and as such the output of the command may change.

       Some rules can be expressed in multiple forms.  For instance, specifying that it can send a signal to is the same as specifying that it can
       receive signals from As this command displays the rules only once, it can be misleading when interpreting the output.

   Security Restrictions
       The user invoking this command must have one of the following authorizations:

       See authadm(1M)).

RETURN VALUE

       returns the following values:

	      Successful completion.
		   The rules are displayed.

	      An error occurred.
		   An error can be caused by an invalid option or because the user does not have permissions to perform the operation.

EXAMPLES

       Example: Display all file system rules for the compartment named web:

       Sample output:

	      Compartment Name: web : sealed
		  Disallowed Privileges: POLICY

		  File System Rules:
		  ------------------
		  PERMISSION			      PATHNAME
		  read, write, create, unlink	      /

SEE ALSO

       cmpt_tune(1M), setrules(1M), compartments(4), compartments(5), privileges(5).

																      getrules(1M)
Man Page