Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
*** 2,12 ****
.\" Copyright (c) 2004, 2009 Sun Microsystems, Inc. All Rights Reserved.
.\" Copyright 2013 Joyent, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
.\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
! .TH ZONECFG 1M "Feb 28, 2014"
.SH NAME
zonecfg \- set up zone configuration
.SH SYNOPSIS
.LP
.nf
--- 2,12 ----
.\" Copyright (c) 2004, 2009 Sun Microsystems, Inc. All Rights Reserved.
.\" Copyright 2013 Joyent, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
.\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
! .TH ZONECFG 1M "Jun 6, 2016"
.SH NAME
zonecfg \- set up zone configuration
.SH SYNOPSIS
.LP
.nf
*** 27,37 ****
.nf
\fBzonecfg\fR help
.fi
.SH DESCRIPTION
- .sp
.LP
The \fBzonecfg\fR utility creates and modifies the configuration of a zone.
Zone configuration consists of a number of resources and properties.
.sp
.LP
--- 27,36 ----
*** 70,80 ****
installed distribution in the global zone. Some brands do not support all of
the \fBzonecfg\fR properties and resources. See the brand-specific man page for
more details on each brand. For an overview of brands, see the \fBbrands\fR(5)
man page.
.SS "Resources"
- .sp
.LP
The following resource types are supported:
.sp
.ne 2
.na
--- 69,78 ----
*** 163,174 ****
.sp .6
.RS 4n
Resource control.
.RE
- .SS "Properties"
.sp
.LP
Each resource type has one or more properties. There are also some global
properties, that is, properties of the configuration as a whole, rather than of
some particular resource.
.sp
--- 161,181 ----
.sp .6
.RS 4n
Resource control.
.RE
.sp
+ .ne 2
+ .na
+ \fB\fBsecurity-flags\fR\fR
+ .ad
+ .sp .6
+ .RS 4n
+ Process security flag settings.
+ .RE
+
+ .SS "Properties"
.LP
Each resource type has one or more properties. There are also some global
properties, that is, properties of the configuration as a whole, rather than of
some particular resource.
.sp
*** 423,432 ****
--- 430,449 ----
.RS 4n
\fBncpus\fR
.RE
.sp
+ .ne 2
+ .na
+ \fB\fBsecurity-flags\fB\fB
+ .ad
+ .sp .6
+ .RS 4n
+ \fBlower\fR, \fBdefault\fR, \fBupper\fR.
+ .RE
+
+ .sp
.LP
As for the property values which are paired with these names, they are either
simple, complex, or lists. The type allowed is property-specific. Simple values
are strings, optionally enclosed within quotation marks. Complex values have
the syntax:
*** 863,872 ****
--- 880,901 ----
.RE
.sp
.ne 2
.na
+ \fB\fBsecurity-flags\fR: lower, default, upper\fR
+ .ad
+ .sp .6
+ .RS 4n
+ Set the process security flags associated with the zone. The \fBlower\fR and
+ \fBupper\fR fields set the limits, the \fBdefault\fR field is set of flags all
+ zone processes inherit.
+ .RE
+
+ .sp
+ .ne 2
+ .na
\fBglobal: \fBfs-allowed\fR\fR
.ad
.sp .6
.RS 4n
A comma-separated list of additional filesystems that may be mounted within
*** 926,935 ****
--- 955,967 ----
capped-memory physical simple with scale
swap simple with scale
locked simple with scale
capped-cpu ncpus simple
+ security-flags lower simple
+ default simple
+ upper simple
.fi
.in -2
.sp
.sp
*** 942,952 ****
contain alphanumerics plus the hyphen (\fB-\fR), underscore (\fB_\fR), and dot
(\fB\&.\fR) characters. Attribute names beginning with "zone" are reserved for
use by the system. Finally, the "autoboot" global property must have a value of
"true" or "false".
.SS "Using Kernel Statistics to Monitor CPU Caps"
- .sp
.LP
Using the kernel statistics (\fBkstat\fR(3KSTAT)) module \fBcaps\fR, the system
maintains information for all capped projects and zones. You can access this
information by reading kernel statistics (\fBkstat\fR(3KSTAT)), specifying
\fBcaps\fR as the \fBkstat\fR module name. The following command displays
--- 974,983 ----
*** 1095,1105 ****
.sp
.LP
See \fBEXAMPLES\fR for sample output from a \fBkstat\fR command.
.SH OPTIONS
- .sp
.LP
The following options are supported:
.sp
.ne 2
.na
--- 1126,1135 ----
*** 1124,1134 ****
name \fBglobal\fR and all names beginning with \fBSUNW\fR are reserved and
cannot be used.
.RE
.SH SUBCOMMANDS
- .sp
.LP
You can use the \fBadd\fR and \fBselect\fR subcommands to select a specific
resource, at which point the scope changes to that resource. The \fBend\fR and
\fBcancel\fR subcommands are used to complete the resource specification, at
which time the scope is reverted back to global. Certain subcommands, such as
--- 1154,1163 ----
*** 1801,1811 ****
.fi
.in -2
.sp
.SH EXIT STATUS
- .sp
.LP
The following exit values are returned:
.sp
.ne 2
.na
--- 1830,1839 ----
*** 1835,1845 ****
.RS 4n
Invalid usage.
.RE
.SH ATTRIBUTES
- .sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.sp
--- 1863,1872 ----
*** 1851,1872 ****
_
Interface Stability Volatile
.TE
.SH SEE ALSO
- .sp
.LP
\fBppriv\fR(1), \fBprctl\fR(1), \fBzlogin\fR(1), \fBkstat\fR(1M),
\fBmount\fR(1M), \fBpooladm\fR(1M), \fBpoolcfg\fR(1M), \fBpoold\fR(1M),
\fBrcapd\fR(1M), \fBrctladm\fR(1M), \fBsvcadm\fR(1M), \fBsysidtool\fR(1M),
\fBzfs\fR(1M), \fBzoneadm\fR(1M), \fBpriv_str_to_set\fR(3C),
\fBkstat\fR(3KSTAT), \fBvfstab\fR(4), \fBattributes\fR(5), \fBbrands\fR(5),
\fBfnmatch\fR(5), \fBlx\fR(5), \fBprivileges\fR(5), \fBresource_controls\fR(5),
! \fBzones\fR(5)
.sp
.LP
\fISystem Administration Guide: Solaris Containers-Resource Management, and
Solaris Zones\fR
.SH NOTES
- .sp
.LP
All character data used by \fBzonecfg\fR must be in US-ASCII encoding.
--- 1878,1897 ----
_
Interface Stability Volatile
.TE
.SH SEE ALSO
.LP
\fBppriv\fR(1), \fBprctl\fR(1), \fBzlogin\fR(1), \fBkstat\fR(1M),
\fBmount\fR(1M), \fBpooladm\fR(1M), \fBpoolcfg\fR(1M), \fBpoold\fR(1M),
\fBrcapd\fR(1M), \fBrctladm\fR(1M), \fBsvcadm\fR(1M), \fBsysidtool\fR(1M),
\fBzfs\fR(1M), \fBzoneadm\fR(1M), \fBpriv_str_to_set\fR(3C),
\fBkstat\fR(3KSTAT), \fBvfstab\fR(4), \fBattributes\fR(5), \fBbrands\fR(5),
\fBfnmatch\fR(5), \fBlx\fR(5), \fBprivileges\fR(5), \fBresource_controls\fR(5),
! \fBsecurity-flags\fR(5), \fBzones\fR(5)
.sp
.LP
\fISystem Administration Guide: Solaris Containers-Resource Management, and
Solaris Zones\fR
.SH NOTES
.LP
All character data used by \fBzonecfg\fR must be in US-ASCII encoding.