Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

Split Close
Expand all
Collapse all
          --- old/usr/src/cmd/zoneadmd/vplat.c
          +++ new/usr/src/cmd/zoneadmd/vplat.c
↓ open down ↓ 69 lines elided ↑ open up ↑
  70   70  #include <sys/mount.h>
  71   71  #include <sys/mntent.h>
  72   72  #include <sys/socket.h>
  73   73  #include <sys/utsname.h>
  74   74  #include <sys/types.h>
  75   75  #include <sys/stat.h>
  76   76  #include <sys/sockio.h>
  77   77  #include <sys/stropts.h>
  78   78  #include <sys/conf.h>
  79   79  #include <sys/systeminfo.h>
       80 +#include <sys/secflags.h>
  80   81  
  81   82  #include <libdlpi.h>
  82   83  #include <libdllink.h>
  83   84  #include <libdlvlan.h>
  84   85  
  85   86  #include <inet/tcp.h>
  86   87  #include <arpa/inet.h>
  87   88  #include <netinet/in.h>
  88   89  #include <net/route.h>
  89   90  
↓ open down ↓ 4494 lines elided ↑ open up ↑
4584 4585              sizeof (hostid))) != 0) {
4585 4586                  zerror(zlogp, B_TRUE,
4586 4587                      "zone hostid is not valid: %s: %d", hostidp, res);
4587 4588                  return (Z_SYSTEM);
4588 4589          }
4589 4590  
4590 4591          return (res);
4591 4592  }
4592 4593  
4593 4594  static int
     4595 +setup_zone_secflags(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid)
     4596 +{
     4597 +        psecflags_t secflags;
     4598 +        struct zone_secflagstab tab = {0};
     4599 +        secflagdelta_t delt;
     4600 +        int res;
     4601 +
     4602 +        res = zonecfg_lookup_secflags(handle, &tab);
     4603 +
     4604 +        if ((res != Z_OK) &&
     4605 +            /* The general defaulting code will handle this */
     4606 +            (res != Z_NO_ENTRY) && (res != Z_BAD_PROPERTY)) {
     4607 +                zerror(zlogp, B_FALSE, "security-flags property is "
     4608 +                    "invalid: %d", res);
     4609 +                return (res);
     4610 +        }
     4611 +
     4612 +        if (strlen(tab.zone_secflags_lower) == 0)
     4613 +                (void) strlcpy(tab.zone_secflags_lower, "none",
     4614 +                    sizeof (tab.zone_secflags_lower));
     4615 +        if (strlen(tab.zone_secflags_default) == 0)
     4616 +                (void) strlcpy(tab.zone_secflags_default,
     4617 +                    tab.zone_secflags_lower,
     4618 +                    sizeof (tab.zone_secflags_default));
     4619 +        if (strlen(tab.zone_secflags_upper) == 0)
     4620 +                (void) strlcpy(tab.zone_secflags_upper, "all",
     4621 +                    sizeof (tab.zone_secflags_upper));
     4622 +
     4623 +        if (secflags_parse(NULL, tab.zone_secflags_default,
     4624 +            &delt) == -1) {
     4625 +                zerror(zlogp, B_FALSE, "default security-flags: '%s'"
     4626 +                    "are invalid", tab.zone_secflags_default);
     4627 +                return (Z_BAD_PROPERTY);
     4628 +        } else if (delt.psd_ass_active != B_TRUE) {
     4629 +                zerror(zlogp, B_FALSE, "relative security-flags are not "
     4630 +                    "allowed in zone configuration (default "
     4631 +                    "security-flags: '%s')",
     4632 +                    tab.zone_secflags_default);
     4633 +                return (Z_BAD_PROPERTY);
     4634 +        } else {
     4635 +                secflags_copy(&secflags.psf_inherit, &delt.psd_assign);
     4636 +                secflags_copy(&secflags.psf_effective, &delt.psd_assign);
     4637 +        }
     4638 +
     4639 +        if (secflags_parse(NULL, tab.zone_secflags_lower,
     4640 +            &delt) == -1) {
     4641 +                zerror(zlogp, B_FALSE, "lower security-flags: '%s'"
     4642 +                    "are invalid", tab.zone_secflags_lower);
     4643 +                return (Z_BAD_PROPERTY);
     4644 +        } else if (delt.psd_ass_active != B_TRUE) {
     4645 +                zerror(zlogp, B_FALSE, "relative security-flags are not "
     4646 +                    "allowed in zone configuration (lower "
     4647 +                    "security-flags: '%s')",
     4648 +                    tab.zone_secflags_lower);
     4649 +                return (Z_BAD_PROPERTY);
     4650 +        } else {
     4651 +                secflags_copy(&secflags.psf_lower, &delt.psd_assign);
     4652 +        }
     4653 +
     4654 +        if (secflags_parse(NULL, tab.zone_secflags_upper,
     4655 +            &delt) == -1) {
     4656 +                zerror(zlogp, B_FALSE, "upper security-flags: '%s'"
     4657 +                    "are invalid", tab.zone_secflags_upper);
     4658 +                return (Z_BAD_PROPERTY);
     4659 +        } else if (delt.psd_ass_active != B_TRUE) {
     4660 +                zerror(zlogp, B_FALSE, "relative security-flags are not "
     4661 +                    "allowed in zone configuration (upper "
     4662 +                    "security-flags: '%s')",
     4663 +                    tab.zone_secflags_upper);
     4664 +                return (Z_BAD_PROPERTY);
     4665 +        } else {
     4666 +                secflags_copy(&secflags.psf_upper, &delt.psd_assign);
     4667 +        }
     4668 +
     4669 +        if (!psecflags_validate(&secflags)) {
     4670 +                zerror(zlogp, B_TRUE, "security-flags violate invariants");
     4671 +                return (Z_BAD_PROPERTY);
     4672 +        }
     4673 +
     4674 +        if ((res = zone_setattr(zoneid, ZONE_ATTR_SECFLAGS, &secflags,
     4675 +            sizeof (secflags))) != 0) {
     4676 +                zerror(zlogp, B_TRUE,
     4677 +                    "security-flags couldn't be set: %d", res);
     4678 +                return (Z_SYSTEM);
     4679 +        }
     4680 +
     4681 +        return (Z_OK);
     4682 +}
     4683 +
     4684 +static int
4594 4685  setup_zone_fs_allowed(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid)
4595 4686  {
4596 4687          char fsallowed[ZONE_FS_ALLOWED_MAX];
4597 4688          char *fsallowedp = fsallowed;
4598 4689          int len = sizeof (fsallowed);
4599 4690          int res;
4600 4691  
4601 4692          res = zonecfg_get_fs_allowed(handle, fsallowed, len);
4602 4693  
4603 4694          if (res == Z_BAD_PROPERTY) {
4604 4695                  /* No value, set the defaults */
4605 4696                  (void) strlcpy(fsallowed, DFLT_FS_ALLOWED, len);
4606 4697          } else if (res != Z_OK) {
4607 4698                  report_prop_err(zlogp, "fs-allowed", fsallowed, res);
4608 4699                  return (res);
4609 4700          } else if (fsallowed[0] == '-') {
4610      -                /* dropping default privs - use remaining list */
     4701 +                /* dropping default filesystems - use remaining list */
4611 4702                  if (fsallowed[1] != ',')
4612 4703                          return (Z_OK);
4613 4704                  fsallowedp += 2;
4614 4705                  len -= 2;
4615 4706          } else {
4616 4707                  /* Has a value, append the defaults */
4617 4708                  if (strlcat(fsallowed, ",", len) >= len ||
4618 4709                      strlcat(fsallowed, DFLT_FS_ALLOWED, len) >= len) {
4619 4710                          report_prop_err(zlogp, "fs-allowed", fsallowed,
4620 4711                              Z_TOO_BIG);
↓ open down ↓ 24 lines elided ↑ open up ↑
4645 4736                  zerror(zlogp, B_FALSE, "invalid configuration");
4646 4737                  goto out;
4647 4738          }
4648 4739  
4649 4740          if ((res = setup_zone_hostid(handle, zlogp, zoneid)) != Z_OK)
4650 4741                  goto out;
4651 4742  
4652 4743          if ((res = setup_zone_fs_allowed(handle, zlogp, zoneid)) != Z_OK)
4653 4744                  goto out;
4654 4745  
     4746 +        if ((res = setup_zone_secflags(handle, zlogp, zoneid)) != Z_OK)
     4747 +                goto out;
     4748 +
4655 4749  out:
4656 4750          zonecfg_fini_handle(handle);
4657 4751          return (res);
4658 4752  }
4659 4753  
4660 4754  zoneid_t
4661 4755  vplat_create(zlog_t *zlogp, zone_mnt_t mount_cmd)
4662 4756  {
4663 4757          zoneid_t rval = -1;
4664 4758          priv_set_t *privs;
↓ open down ↓ 660 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX