Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -103,10 +103,15 @@
        rctl
 
            Resource control.
 
 
+       security-flags
+
+           Process security flag settings.
+
+
    Properties
        Each resource type has one or more properties. There are also some
        global properties, that is, properties of the configuration as a whole,
        rather than of some particular resource.
 

@@ -236,10 +241,15 @@
        capped-cpu
 
            ncpus
 
 
+       security-flags
+
+           lower, default, upper.
+
+
 
        As for the property values which are paired with these names, they are
        either simple, complex, or lists. The type allowed is property-
        specific. Simple values are strings, optionally enclosed within
        quotation marks. Complex values have the syntax:

@@ -530,10 +540,17 @@
            The capped-cpu property is an alias for zone.cpu-cap resource
            control and is related to the zone.cpu-cap resource control. See
            resource_controls(5).
 
 
+       security-flags: lower, default, upper
+
+           Set the process security flags associated with the zone.  The lower
+           and upper fields set the limits, the default field is set of flags
+           all zone processes inherit.
+
+
        global: fs-allowed
 
            A comma-separated list of additional filesystems that may be
            mounted within the zone; for example "ufs,pcfs". By default, only
            hsfs(7fs) and network filesystems can be mounted. If the first

@@ -589,10 +606,13 @@
          capped-memory     physical        simple with scale
                             swap            simple with scale
                             locked          simple with scale
 
          capped-cpu        ncpus           simple
+         security-flags   lower           simple
+                            default        simple
+                            upper          simple
 
 
 
 
        To further specify things, the breakdown of the complex property

@@ -1272,17 +1292,17 @@
 SEE ALSO
        ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
        poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
        sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
        kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
-       privileges(5), resource_controls(5), zones(5)
+       privileges(5), resource_controls(5), security-flags(5), zones(5)
 
 
        System Administration Guide: Solaris Containers-Resource Management,
        and Solaris Zones
 
 NOTES
        All character data used by zonecfg must be in US-ASCII encoding.
 
 
 
-                               February 28, 2014                   ZONECFG(1M)
+                                 June 6, 2016                      ZONECFG(1M)