Print this page
uts: Allow for address space randomisation.
Randomise the base addresses of shared objects, non-fixed mappings, the
stack and the heap.  Introduce a service, svc:/system/process-security,
and a tool psecflags(1) to control and observe it

*** 102,124 **** MSG_AUXV_AT_SUN_IFLUSH, MSG_AUXV_AT_SUN_CPU }; static const conv_ds_msg_t ds_types_2000_2011 = { CONV_DS_MSG_INIT(2000, types_2000_2011) }; ! static const Msg types_2014_2023[] = { MSG_AUXV_AT_SUN_EXECNAME, MSG_AUXV_AT_SUN_MMU, MSG_AUXV_AT_SUN_LDDATA, MSG_AUXV_AT_SUN_AUXFLAGS, MSG_AUXV_AT_SUN_EMULATOR, MSG_AUXV_AT_SUN_BRANDNAME, MSG_AUXV_AT_SUN_BRAND_AUX1, MSG_AUXV_AT_SUN_BRAND_AUX2, ! MSG_AUXV_AT_SUN_BRAND_AUX3, MSG_AUXV_AT_SUN_HWCAP2 }; ! static const conv_ds_msg_t ds_types_2014_2023 = { ! CONV_DS_MSG_INIT(2014, types_2014_2023) }; static const conv_ds_t *ds[] = { CONV_DS_ADDR(ds_types_0_22), CONV_DS_ADDR(ds_types_2000_2011), ! CONV_DS_ADDR(ds_types_2014_2023), NULL }; return (conv_map_ds(ELFOSABI_NONE, EM_NONE, type, ds, fmt_flags, inv_buf)); } --- 102,125 ---- MSG_AUXV_AT_SUN_IFLUSH, MSG_AUXV_AT_SUN_CPU }; static const conv_ds_msg_t ds_types_2000_2011 = { CONV_DS_MSG_INIT(2000, types_2000_2011) }; ! static const Msg types_2014_2024[] = { MSG_AUXV_AT_SUN_EXECNAME, MSG_AUXV_AT_SUN_MMU, MSG_AUXV_AT_SUN_LDDATA, MSG_AUXV_AT_SUN_AUXFLAGS, MSG_AUXV_AT_SUN_EMULATOR, MSG_AUXV_AT_SUN_BRANDNAME, MSG_AUXV_AT_SUN_BRAND_AUX1, MSG_AUXV_AT_SUN_BRAND_AUX2, ! MSG_AUXV_AT_SUN_BRAND_AUX3, MSG_AUXV_AT_SUN_HWCAP2, ! MSG_AUXV_AT_SUN_SECFLAGS }; ! static const conv_ds_msg_t ds_types_2014_2024 = { ! CONV_DS_MSG_INIT(2014, types_2014_2024) }; static const conv_ds_t *ds[] = { CONV_DS_ADDR(ds_types_0_22), CONV_DS_ADDR(ds_types_2000_2011), ! CONV_DS_ADDR(ds_types_2014_2024), NULL }; return (conv_map_ds(ELFOSABI_NONE, EM_NONE, type, ds, fmt_flags, inv_buf)); }
*** 2580,2584 **** --- 2581,2627 ---- return (MSG_ORIG(MSG_GBL_ZERO)); (void) conv_expn_field(&arg, vda, fmt_flags); return (buf); } + + + #define PROCSECFLGSZ CONV_EXPN_FIELD_DEF_PREFIX_SIZE + \ + MSG_PROC_SEC_ASLR_SIZE + CONV_EXPN_FIELD_DEF_SEP_SIZE + \ + CONV_INV_BUFSIZE + CONV_EXPN_FIELD_DEF_SUFFIX_SIZE + + /* + * Ensure that Conv_cnote_pr_secflags_buf_t is large enough: + * + * PROCSECFLGSZ is the real minimum size of the buffer required by + * conv_cnote_psecflags(). However, Conv_cnote_pr_secflags_buf_t uses + * CONV_CNOTE_PSECFLAGS_FLAG_BUFSIZE to set the buffer size. We do things this + * way because the definition of PROCSECFLGSZ uses information that is not + * available in the environment of other programs that include the conv.h + * header file. + */ + #if (CONV_PSECFLAGS_BUFSIZE != PROCSECFLGSZ) && !defined(__lint) + #define REPORT_BUFSIZE PROCSECFLGSZ + #include "report_bufsize.h" + #error "CONV_PSECFLAGS_BUFSIZE does not match PROCSECFLGSZ" + #endif + + const char * + conv_psecflags(int flags, Conv_fmt_flags_t fmt_flags, + Conv_secflags_buf_t *secflags_buf) + { + static const Val_desc vda[] = { + { 0x0001, MSG_PROC_SEC_ASLR }, + { 0, 0 } + }; + static CONV_EXPN_FIELD_ARG conv_arg = { + NULL, sizeof (secflags_buf->buf) }; + + if (flags == 0) + return (MSG_ORIG(MSG_GBL_ZERO)); + + conv_arg.buf = secflags_buf->buf; + conv_arg.oflags = conv_arg.rflags = flags; + (void) conv_expn_field(&conv_arg, vda, fmt_flags); + + return ((const char *)secflags_buf->buf); + }