Grsecurity/Appendix/Subject Modes
< Grsecurity | Appendix
Mode | Meaning |
---|---|
a | Allow this process to talk to the /dev/grsec device. |
b | Enable process accounting for processes in this subject. |
d | Protect the /proc/<pid>/fd, /proc/<pid>/mem, /proc/<pid>/cmdline, and /proc/<pid>/environ entries for processes in this subject, |
h | This process is hidden and only viewable by processes with the v mode. |
i | Enable inheritance-based learning, causing all accesses of this subject and anything it executes to be logged as originating from this subject. The policy generated from this learning will have the inheritance flag added to every file executed from this subject. |
k | This process can kill protected processes. |
l | Enables learning mode for this process. |
o | Override ACL inheritance for this process. |
p | This process is protected; it can only be killed by processes with the k mode, or by processes within the same subject. |
r | Relax ptrace restrictions (allows ptracing of processes other than one's own children). |
s | (In v2.2.1 and above): Enable AT_SECURE when entering this subject. This enables the same environment sanitization that occurs in glibc upon execution of a suid binary. |
t | Allow ptracing of any process (do not use unless necessary, allows ptrace to cross subject boundaries). This flag also allows a process to use CLONE_FS and execute a binary that causes a subject change. |
v | This process can view hidden processes. |
x | Allows executable anonymous shared memory for this subject. |
A | Protect the shared memory of this subject. No other processes but processes contained within this subject may access the shared memory of this subject. |
C | Auto-kill all processes belonging to the attacker's IP address upon violation of security policy. |
K | When processes belonging to this subject generate an alert, kill the process. |
O | Allow loading of writable libraries. |
T | Deny execution of binaries or scripts that are writable by any other subject in the policy. This flag is evaluated at policy enable time. All binaries with execute permission that are writable by another subject (ignoring special roles) will be reported and the RBAC system will not allow itself to be enabled until the changes are made. |