Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


9499                 export_pg(pg, eelts, SCE_ALL_VALUES);
9500 
9501                 return;
9502         }
9503 
9504 
9505         /*
9506          * If we're going to have a method_context child, we need to know
9507          * before we iterate through the properties.  Since method_context's
9508          * are optional, we don't want to complain about any properties
9509          * missing if none of them are there.  Thus we can't use the
9510          * convenience functions.
9511          */
9512         nonenv =
9513             scf_pg_get_property(pg, SCF_PROPERTY_WORKING_DIRECTORY, NULL) ==
9514             SCF_SUCCESS ||
9515             scf_pg_get_property(pg, SCF_PROPERTY_PROJECT, NULL) ==
9516             SCF_SUCCESS ||
9517             scf_pg_get_property(pg, SCF_PROPERTY_RESOURCE_POOL, NULL) ==
9518             SCF_SUCCESS ||


9519             scf_pg_get_property(pg, SCF_PROPERTY_USE_PROFILE, NULL) ==
9520             SCF_SUCCESS;
9521 
9522         if (nonenv) {
9523                 ctxt = xmlNewNode(NULL, (xmlChar *)"method_context");
9524                 if (ctxt == NULL)
9525                         uu_die(emsg_create_xml);
9526 
9527                 if (pg_get_prop(pg, SCF_PROPERTY_WORKING_DIRECTORY, exp_prop) ==
9528                     0 &&
9529                     set_attr_from_prop_default(exp_prop, ctxt,
9530                     "working_directory", ":default") != 0)
9531                         err = 1;
9532 
9533                 if (pg_get_prop(pg, SCF_PROPERTY_PROJECT, exp_prop) == 0 &&
9534                     set_attr_from_prop_default(exp_prop, ctxt, "project",
9535                     ":default") != 0)
9536                         err = 1;
9537 
9538                 if (pg_get_prop(pg, SCF_PROPERTY_RESOURCE_POOL, exp_prop) ==
9539                     0 &&
9540                     set_attr_from_prop_default(exp_prop, ctxt,
9541                     "resource_pool", ":default") != 0)
9542                         err = 1;






9543                 /*
9544                  * We only want to complain about profile or credential
9545                  * properties if we will use them.  To determine that we must
9546                  * examine USE_PROFILE.
9547                  */
9548                 if (pg_get_prop(pg, SCF_PROPERTY_USE_PROFILE, exp_prop) == 0 &&
9549                     prop_check_type(exp_prop, SCF_TYPE_BOOLEAN) == 0 &&
9550                     prop_get_val(exp_prop, exp_val) == 0) {
9551                         if (scf_value_get_boolean(exp_val, &use_profile) !=
9552                             SCF_SUCCESS) {
9553                                 scfdie();
9554                         }
9555 
9556                         if (use_profile) {
9557                                 xmlNodePtr prof;
9558 
9559                                 prof = xmlNewChild(ctxt, NULL,
9560                                     (xmlChar *)"method_profile", NULL);
9561                                 if (prof == NULL)
9562                                         uu_die(emsg_create_xml);


9645                         if (m == NULL)
9646                                 uu_die(emsg_create_xml);
9647 
9648                         if (set_attr_from_prop(exp_prop, m, value_attr) == 0) {
9649                                 elts.stability = m;
9650                                 continue;
9651                         }
9652 
9653                         xmlFreeNode(m);
9654                 } else if (strcmp(exp_str, SCF_PROPERTY_WORKING_DIRECTORY) ==
9655                     0 ||
9656                     strcmp(exp_str, SCF_PROPERTY_PROJECT) == 0 ||
9657                     strcmp(exp_str, SCF_PROPERTY_RESOURCE_POOL) == 0 ||
9658                     strcmp(exp_str, SCF_PROPERTY_USE_PROFILE) == 0) {
9659                         if (nonenv)
9660                                 continue;
9661                 } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0 ||
9662                     strcmp(exp_str, SCF_PROPERTY_GROUP) == 0 ||
9663                     strcmp(exp_str, SCF_PROPERTY_SUPP_GROUPS) == 0 ||
9664                     strcmp(exp_str, SCF_PROPERTY_PRIVILEGES) == 0 ||
9665                     strcmp(exp_str, SCF_PROPERTY_LIMIT_PRIVILEGES) == 0) {

9666                         if (nonenv && !use_profile)
9667                                 continue;
9668                 } else if (strcmp(exp_str, SCF_PROPERTY_PROFILE) == 0) {
9669                         if (nonenv && use_profile)
9670                                 continue;
9671                 } else if (strcmp(exp_str, SCF_PROPERTY_ENVIRONMENT) == 0) {
9672                         if (env != NULL)
9673                                 continue;
9674                 }
9675 
9676                 export_property(exp_prop, exp_str, &elts, SCE_ALL_VALUES);
9677         }
9678         if (ret == -1)
9679                 scfdie();
9680 
9681         (void) xmlAddChild(n, elts.stability);
9682         (void) xmlAddChildList(n, elts.propvals);
9683         (void) xmlAddChildList(n, elts.properties);
9684 
9685         if (eelts->exec_methods == NULL)


9831                 (void) xmlAddChild(n, env);
9832 
9833         if (scf_iter_pg_properties(exp_prop_iter, pg) != SCF_SUCCESS)
9834                 scfdie();
9835 
9836         while ((ret = scf_iter_next_property(exp_prop_iter, exp_prop)) == 1) {
9837                 if (scf_property_get_name(exp_prop, exp_str, exp_str_sz) < 0)
9838                         scfdie();
9839 
9840                 if (strcmp(exp_str, SCF_PROPERTY_WORKING_DIRECTORY) == 0) {
9841                         if (set_attr_from_prop(exp_prop, n,
9842                             "working_directory") != 0)
9843                                 err = 1;
9844                 } else if (strcmp(exp_str, SCF_PROPERTY_PROJECT) == 0) {
9845                         if (set_attr_from_prop(exp_prop, n, "project") != 0)
9846                                 err = 1;
9847                 } else if (strcmp(exp_str, SCF_PROPERTY_RESOURCE_POOL) == 0) {
9848                         if (set_attr_from_prop(exp_prop, n,
9849                             "resource_pool") != 0)
9850                                 err = 1;




9851                 } else if (strcmp(exp_str, SCF_PROPERTY_USE_PROFILE) == 0) {
9852                         /* EMPTY */
9853                 } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0) {
9854                         if (use_profile ||
9855                             set_attr_from_prop(exp_prop, cred, "user") != 0)
9856                                 err = 1;
9857                 } else if (strcmp(exp_str, SCF_PROPERTY_GROUP) == 0) {
9858                         if (use_profile ||
9859                             set_attr_from_prop(exp_prop, cred, "group") != 0)
9860                                 err = 1;
9861                 } else if (strcmp(exp_str, SCF_PROPERTY_SUPP_GROUPS) == 0) {
9862                         if (use_profile || set_attr_from_prop(exp_prop, cred,
9863                             "supp_groups") != 0)
9864                                 err = 1;
9865                 } else if (strcmp(exp_str, SCF_PROPERTY_PRIVILEGES) == 0) {
9866                         if (use_profile || set_attr_from_prop(exp_prop, cred,
9867                             "privileges") != 0)
9868                                 err = 1;
9869                 } else if (strcmp(exp_str, SCF_PROPERTY_LIMIT_PRIVILEGES) ==
9870                     0) {




9499                 export_pg(pg, eelts, SCE_ALL_VALUES);
9500 
9501                 return;
9502         }
9503 
9504 
9505         /*
9506          * If we're going to have a method_context child, we need to know
9507          * before we iterate through the properties.  Since method_context's
9508          * are optional, we don't want to complain about any properties
9509          * missing if none of them are there.  Thus we can't use the
9510          * convenience functions.
9511          */
9512         nonenv =
9513             scf_pg_get_property(pg, SCF_PROPERTY_WORKING_DIRECTORY, NULL) ==
9514             SCF_SUCCESS ||
9515             scf_pg_get_property(pg, SCF_PROPERTY_PROJECT, NULL) ==
9516             SCF_SUCCESS ||
9517             scf_pg_get_property(pg, SCF_PROPERTY_RESOURCE_POOL, NULL) ==
9518             SCF_SUCCESS ||
9519             scf_pg_get_property(pg, SCF_PROPERTY_SECFLAGS, NULL) ==
9520             SCF_SUCCESS ||
9521             scf_pg_get_property(pg, SCF_PROPERTY_USE_PROFILE, NULL) ==
9522             SCF_SUCCESS;
9523 
9524         if (nonenv) {
9525                 ctxt = xmlNewNode(NULL, (xmlChar *)"method_context");
9526                 if (ctxt == NULL)
9527                         uu_die(emsg_create_xml);
9528 
9529                 if (pg_get_prop(pg, SCF_PROPERTY_WORKING_DIRECTORY, exp_prop) ==
9530                     0 &&
9531                     set_attr_from_prop_default(exp_prop, ctxt,
9532                     "working_directory", ":default") != 0)
9533                         err = 1;
9534 
9535                 if (pg_get_prop(pg, SCF_PROPERTY_PROJECT, exp_prop) == 0 &&
9536                     set_attr_from_prop_default(exp_prop, ctxt, "project",
9537                     ":default") != 0)
9538                         err = 1;
9539 
9540                 if (pg_get_prop(pg, SCF_PROPERTY_RESOURCE_POOL, exp_prop) ==
9541                     0 &&
9542                     set_attr_from_prop_default(exp_prop, ctxt,
9543                     "resource_pool", ":default") != 0)
9544                         err = 1;
9545 
9546                 if (pg_get_prop(pg, SCF_PROPERTY_SECFLAGS, exp_prop) == 0 &&
9547                     set_attr_from_prop_default(exp_prop, ctxt,
9548                     "security_flags", ":default") != 0)
9549                         err = 1;
9550 
9551                 /*
9552                  * We only want to complain about profile or credential
9553                  * properties if we will use them.  To determine that we must
9554                  * examine USE_PROFILE.
9555                  */
9556                 if (pg_get_prop(pg, SCF_PROPERTY_USE_PROFILE, exp_prop) == 0 &&
9557                     prop_check_type(exp_prop, SCF_TYPE_BOOLEAN) == 0 &&
9558                     prop_get_val(exp_prop, exp_val) == 0) {
9559                         if (scf_value_get_boolean(exp_val, &use_profile) !=
9560                             SCF_SUCCESS) {
9561                                 scfdie();
9562                         }
9563 
9564                         if (use_profile) {
9565                                 xmlNodePtr prof;
9566 
9567                                 prof = xmlNewChild(ctxt, NULL,
9568                                     (xmlChar *)"method_profile", NULL);
9569                                 if (prof == NULL)
9570                                         uu_die(emsg_create_xml);


9653                         if (m == NULL)
9654                                 uu_die(emsg_create_xml);
9655 
9656                         if (set_attr_from_prop(exp_prop, m, value_attr) == 0) {
9657                                 elts.stability = m;
9658                                 continue;
9659                         }
9660 
9661                         xmlFreeNode(m);
9662                 } else if (strcmp(exp_str, SCF_PROPERTY_WORKING_DIRECTORY) ==
9663                     0 ||
9664                     strcmp(exp_str, SCF_PROPERTY_PROJECT) == 0 ||
9665                     strcmp(exp_str, SCF_PROPERTY_RESOURCE_POOL) == 0 ||
9666                     strcmp(exp_str, SCF_PROPERTY_USE_PROFILE) == 0) {
9667                         if (nonenv)
9668                                 continue;
9669                 } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0 ||
9670                     strcmp(exp_str, SCF_PROPERTY_GROUP) == 0 ||
9671                     strcmp(exp_str, SCF_PROPERTY_SUPP_GROUPS) == 0 ||
9672                     strcmp(exp_str, SCF_PROPERTY_PRIVILEGES) == 0 ||
9673                     strcmp(exp_str, SCF_PROPERTY_LIMIT_PRIVILEGES) == 0 ||
9674                     strcmp(exp_str, SCF_PROPERTY_SECFLAGS) == 0) {
9675                         if (nonenv && !use_profile)
9676                                 continue;
9677                 } else if (strcmp(exp_str, SCF_PROPERTY_PROFILE) == 0) {
9678                         if (nonenv && use_profile)
9679                                 continue;
9680                 } else if (strcmp(exp_str, SCF_PROPERTY_ENVIRONMENT) == 0) {
9681                         if (env != NULL)
9682                                 continue;
9683                 }
9684 
9685                 export_property(exp_prop, exp_str, &elts, SCE_ALL_VALUES);
9686         }
9687         if (ret == -1)
9688                 scfdie();
9689 
9690         (void) xmlAddChild(n, elts.stability);
9691         (void) xmlAddChildList(n, elts.propvals);
9692         (void) xmlAddChildList(n, elts.properties);
9693 
9694         if (eelts->exec_methods == NULL)


9840                 (void) xmlAddChild(n, env);
9841 
9842         if (scf_iter_pg_properties(exp_prop_iter, pg) != SCF_SUCCESS)
9843                 scfdie();
9844 
9845         while ((ret = scf_iter_next_property(exp_prop_iter, exp_prop)) == 1) {
9846                 if (scf_property_get_name(exp_prop, exp_str, exp_str_sz) < 0)
9847                         scfdie();
9848 
9849                 if (strcmp(exp_str, SCF_PROPERTY_WORKING_DIRECTORY) == 0) {
9850                         if (set_attr_from_prop(exp_prop, n,
9851                             "working_directory") != 0)
9852                                 err = 1;
9853                 } else if (strcmp(exp_str, SCF_PROPERTY_PROJECT) == 0) {
9854                         if (set_attr_from_prop(exp_prop, n, "project") != 0)
9855                                 err = 1;
9856                 } else if (strcmp(exp_str, SCF_PROPERTY_RESOURCE_POOL) == 0) {
9857                         if (set_attr_from_prop(exp_prop, n,
9858                             "resource_pool") != 0)
9859                                 err = 1;
9860                 } else if (strcmp(exp_str, SCF_PROPERTY_SECFLAGS) == 0) {
9861                         if (set_attr_from_prop(exp_prop, n,
9862                             "security_flags") != 0)
9863                                 err = 1;
9864                 } else if (strcmp(exp_str, SCF_PROPERTY_USE_PROFILE) == 0) {
9865                         /* EMPTY */
9866                 } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0) {
9867                         if (use_profile ||
9868                             set_attr_from_prop(exp_prop, cred, "user") != 0)
9869                                 err = 1;
9870                 } else if (strcmp(exp_str, SCF_PROPERTY_GROUP) == 0) {
9871                         if (use_profile ||
9872                             set_attr_from_prop(exp_prop, cred, "group") != 0)
9873                                 err = 1;
9874                 } else if (strcmp(exp_str, SCF_PROPERTY_SUPP_GROUPS) == 0) {
9875                         if (use_profile || set_attr_from_prop(exp_prop, cred,
9876                             "supp_groups") != 0)
9877                                 err = 1;
9878                 } else if (strcmp(exp_str, SCF_PROPERTY_PRIVILEGES) == 0) {
9879                         if (use_profile || set_attr_from_prop(exp_prop, cred,
9880                             "privileges") != 0)
9881                                 err = 1;
9882                 } else if (strcmp(exp_str, SCF_PROPERTY_LIMIT_PRIVILEGES) ==
9883                     0) {