il_7029-4 Cdiff usr/src/cmd/svc/svccfg/svccfg

Print this page

7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


*** 1012,1021 ****
--- 1012,1025 ----
  
          if (new_opt_str_prop_from_attr(pg, SCF_PROPERTY_RESOURCE_POOL,
              SCF_TYPE_ASTRING, ctx, "resource_pool", NULL) != 0)
                  return (-1);
  
+         if (new_opt_str_prop_from_attr(pg, SCF_PROPERTY_SECFLAGS,
+             SCF_TYPE_ASTRING, ctx, "security_flags", NULL) != 0)
+                 return (-1);
+ 
          for (cursor = ctx->xmlChildrenNode; cursor != NULL;
              cursor = cursor->next) {
                  if (lxml_ignorable_block(cursor))
                          continue;
  
*** 1098,1108 ****
                  return (-1);
  
          /*
           * There is a possibility that a method context also exists, in which
           * case the following attributes are defined: project, resource_pool,
!          * working_directory, profile, user, group, privileges, limit_privileges
           */
          for (cursor = emeth->xmlChildrenNode; cursor != NULL;
              cursor = cursor->next) {
                  if (lxml_ignorable_block(cursor))
                          continue;
--- 1102,1113 ----
                  return (-1);
  
          /*
           * There is a possibility that a method context also exists, in which
           * case the following attributes are defined: project, resource_pool,
!          * working_directory, profile, user, group, privileges,
!          * limit_privileges, security_flags
           */
          for (cursor = emeth->xmlChildrenNode; cursor != NULL;
              cursor = cursor->next) {
                  if (lxml_ignorable_block(cursor))
                          continue;
*** 3351,3361 ****
   * in early manifest import due to upgrade process needing
   * information that has not yet been supplied by manifests
   * that are still located in the /var/svc manifests directory.
   */
  static int
! lxml_check_upgrade(const char *service) {
          scf_handle_t    *h = NULL;
          scf_scope_t     *sc = NULL;
          scf_service_t   *svc = NULL;
          scf_propertygroup_t     *pg = NULL;
          int rc = SCF_FAILED;
--- 3356,3367 ----
   * in early manifest import due to upgrade process needing
   * information that has not yet been supplied by manifests
   * that are still located in the /var/svc manifests directory.
   */
  static int
! lxml_check_upgrade(const char *service)
! {
          scf_handle_t    *h = NULL;
          scf_scope_t     *sc = NULL;
          scf_service_t   *svc = NULL;
          scf_propertygroup_t     *pg = NULL;
          int rc = SCF_FAILED;