Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/libzonecfg/dtd/zonecfg.dtd.1.man.txt
          +++ new/usr/src/lib/libzonecfg/dtd/zonecfg.dtd.1.man.txt
↓ open down ↓ 122 lines elided ↑ open up ↑
 123  123  
 124  124  <!ELEMENT mcap      EMPTY>
 125  125  
 126  126  <!ATTLIST mcap      physcap        CDATA #REQUIRED>
 127  127  
 128  128  <!ELEMENT admin     EMPTY>
 129  129  
 130  130  <!ATTLIST admin          user      CDATA #REQUIRED
 131  131                           auths          CDATA #REQUIRED>
 132  132  
      133 +<!ELEMENT security-flags      EMPTY>
      134 +
      135 +<!ATTLIST security-flags      default        CDATA ""            lower
      136 +          CDATA ""            upper          CDATA "">
      137 +
 133  138  <!ELEMENT zone      (filesystem | inherited-pkg-dir | network | device |
 134  139                 deleted-device | rctl | attr | dataset | package |               patch | dev-
 135      -perm | tmp_pool | pset |                mcap | admin)*>
      140 +perm | tmp_pool | pset |                mcap | admin | security-flags)*>
 136  141  
 137  142  <!ATTLIST zone      name      CDATA #REQUIRED               zonepath  CDATA
 138  143  #REQUIRED                autoboot  (true | false) #REQUIRED                ip-
 139  144  type      CDATA ""            hostid         CDATA ""            pool
 140  145            CDATA ""            limitpriv CDATA ""            bootargs  CDATA ""
 141  146                 brand          CDATA ""            scheduling-class    CDATA ""            fs-
 142  147  allowed   CDATA ""            version        NMTOKEN #FIXED '1'>
 143  148  
 144  149  
 145  150  
 146  151                                   June 30, 2016                              ()
    
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX