Grsecurity/Appendix/Object Modes

Subject Attributes Object Modes PaX Flags

Mode Meaning
Object Permission Modes
none Lack of any of the below modes implies "find" access to the object. The object can be listed and have its ownership, size, etc. information obtained, but cannot be read or modified.
a This object can be opened for appending.
c Allow creation of the file/directory.
d Allow deletion of the file/directory.
f Needed to mark the pipe used for communication with init to transfer the privilege of the persistent role; only valid within a persistent role. Transfer only occurs when the file is opened for writing.
h This object is hidden.
i This mode only applies to binaries. When the object is executed, it inherits the ACL of the subject in which it was contained.
l Lowercase L. Allow a hardlink at this path. Hardlinking requires a minimum of c and l modes, and the target link cannot have any greater permission than the source file.
m Allow creation of setuid/setgid files/directories and modification of files/directories to be setuid/setgid.
p Reject all ptraces to this object.
r This object can be opened for reading.
t This object can be ptraced, but cannot modify the running task. This is referred to as a 'read-only ptrace'.
w This object can be opened for writing or appending.
x This object can be executed (or mmap'd with PROT_EXEC into a task).

Mode Meaning
Object Auditing Flags
A Audit successful appends to this object.
C Audit the creation of the file/directory.
D Audit the deletion of the file/directory.
F Audit successful finds of this object.
I Audit successful ACL inherits of this object.
L Audit link creation.
M Audit the setuid/setgid creation/modification.
R Audit successful reads to this object.
W Audit successful writes to this object.
X Audit successful execs of this object.

Mode Meaning
Other Object Flags
s Logs will be suppressed for denied access to this object.
Next Page: PaX Flags | Previous Page: Subject Attributes
Home: Grsecurity/Appendix