--- /dev/null
+.TH "chcontext" "1" "0.1.0" "Klavs Klavsen <kl@vsen.dk>" "System Administration"
+.SH "NAME"
+.LP
+chcontext \- chcontext allocates a new security context and executes a command in that context.
+.SH "SYNTAX"
+.LP
+chcontext [\fIoptions\fP] <\fIcommand arguments\fP>
+.SH "DESCRIPTION"
+.LP
+chcontext allocates a new security context and executes a command in that context.
+By default, a new/unused context is allocated
+.SH "OPTIONS"
+.LP
+.TP
+\fB\-\-cap\fR CAP_NAME
+Add a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h In general, this option is used with the \-\-secure option. \-\-secure removes most critical capabilities and \-\-cap adds specific ones.
+.TP
+\fB\-\-cap\fR !CAP_NAME
+Remove a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h
+.TP
+\fB\-\-ctx\fR num
+Select the context. Only root in context 0 is allowed to select a specific context.
+Context number 1 is special. It can see all processes in any contexts, but can't kill them though.
+.TP
+\fB\-\-disconnect\fR
+Start the command in background and make the process a child of process 1.
+.TP
+\fB\-\-domainname\fR new_domainname
+Set the domainname (NIS) in the new security context.
+Use "none" to unset the domainname.
+.TP
+\fB\-\-flag\fR
+Set one flag in the new or current security context. The following flags are supported. The option may be used several time.
+ lock: The new process is trapped and can't use
+ chcontext anymore.
+ sched: The new process and its children will
+ share a common execution priority.
+ nproc: Limit the number of process in the
+ vserver according to ulimit setting.
+ Normally, ulimit is a per user thing.
+ With this flag, it becomes a per vserver
+ thing.
+ private: No one can join this security context
+ once created.
+.TP
+\fB\-\-hostname\fR new_hostname
+Set the hostname in the new security context.
+This is needed because if you create a less privileged security context, it may be unable to change its hostname.
+.TP
+\fB\-\-secure\fR
+Remove all the capabilities to make a virtual server trustable.
+.TP
+\fB\-\-silent\fR
+Do not print the allocated context number.
+.LP
+Information about context is found in /proc/self/status
+.SH "FILES"
+.LP
+\fI/usr/sbin/chcontext\fP
+
+
+.SH "EXAMPLES"
+.LP
+# You must be root, running X.
+# We start an xterm in another security context
+/usr/sbin/chcontext xterm &
+
+# We check, there is no xterm running, yet we can
+# see it.
+ps ax | grep xterm
+
+# Are we running in security context 0
+# We check the s_context line in /proc/self/status
+cat /proc/self/status
+
+# Ok we in security context 0
+# Try the security context 1
+/usr/sbin/chcontext \-\-ctx 1 ps ax | grep xterm
+
+# Ok, we see the xterm, we try to kill it
+/usr/sbin/chcontext \-\-ctx 1 killall xterm
+
+# No, security context 1 can see, but can't kill
+# let's find out in which security context this
+# xterm is running
+/usr/sbin/chcontext \-\-ctx 1 ps ax | grep xterm
+
+# Ok, this is PID XX. We need the security context
+/usr/sbin/chcontext \-\-ctx 1 cat /proc/XX/status
+
+# We see the s_context, this is SS.
+# We want to kill this process
+/usr/sbin/chcontext \-\-ctx SS killall xterm
+.LP
+Please contribute some, if you feel it's important.
+.SH "AUTHORS"
+.LP
+This Man page was written by Klavs Klavsen <kl@vsen.dk> and based upon the helpful output from the program itself and the documentation on the Virtual Server site <http://www.solucorp.qc.ca/miscprj/s_context.hc?prjstate=1&nodoc=0>
+.SH "SEE ALSO"
+.LP
+chbind(8) rebootmgr(8) reducecap(8)
+vps(8) vpstree(8) vrpm(8) vserver(8)
+vserver\-stat(8) vtop(8)
git://git.onelab.eu / util-vserver.git / blobdiff