Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

Split Close
Expand all
Collapse all
          --- old/usr/src/head/libzonecfg.h
          +++ new/usr/src/head/libzonecfg.h
↓ open down ↓ 244 lines elided ↑ open up ↑
 245  245          gid_t   zone_devperm_gid;
 246  246          mode_t  zone_devperm_mode;
 247  247          char    *zone_devperm_acl;
 248  248  };
 249  249  
 250  250  struct zone_admintab {
 251  251          char    zone_admin_user[MAXUSERNAME];
 252  252          char    zone_admin_auths[MAXAUTHS];
 253  253  };
 254  254  
      255 +#define ZONECFG_SECFLAGS_MAX    1024
      256 +struct zone_secflagstab {
      257 +        char zone_secflags_lower[ZONECFG_SECFLAGS_MAX];
      258 +        char zone_secflags_upper[ZONECFG_SECFLAGS_MAX];
      259 +        char zone_secflags_default[ZONECFG_SECFLAGS_MAX];
      260 +};
      261 +
 255  262  typedef struct zone_userauths {
 256  263          char                    user[MAXUSERNAME];
 257  264          char                    zonename[ZONENAME_MAX];
 258  265          struct zone_userauths   *next;
 259  266  } zone_userauths_t;
 260  267  
 261  268  typedef struct {
 262  269          uu_avl_node_t   zpe_entry;
 263  270          char            *zpe_name;
 264  271          char            *zpe_vers;
↓ open down ↓ 156 lines elided ↑ open up ↑
 421  428  extern  int     zonecfg_modify_pset(zone_dochandle_t, struct zone_psettab *);
 422  429  extern  int     zonecfg_lookup_pset(zone_dochandle_t, struct zone_psettab *);
 423  430  
 424  431  /*
 425  432   * mem-cap configuration.
 426  433   */
 427  434  extern  int     zonecfg_delete_mcap(zone_dochandle_t);
 428  435  extern  int     zonecfg_modify_mcap(zone_dochandle_t, struct zone_mcaptab *);
 429  436  extern  int     zonecfg_lookup_mcap(zone_dochandle_t, struct zone_mcaptab *);
 430  437  
      438 +/* security-flags configuration */
      439 +extern  int     zonecfg_add_secflags(zone_dochandle_t,
      440 +    struct zone_secflagstab *);
      441 +extern  int     zonecfg_delete_secflags(zone_dochandle_t,
      442 +    struct zone_secflagstab *);
      443 +extern  int     zonecfg_modify_secflags(zone_dochandle_t,
      444 +    struct zone_secflagstab *, struct zone_secflagstab *);
      445 +extern  int     zonecfg_lookup_secflags(zone_dochandle_t,
      446 +    struct zone_secflagstab *);
      447 +
 431  448  /*
 432  449   * Temporary pool support functions.
 433  450   */
 434  451  extern  int     zonecfg_destroy_tmp_pool(char *, char *, int);
 435  452  extern  int     zonecfg_bind_tmp_pool(zone_dochandle_t, zoneid_t, char *, int);
 436  453  extern  int     zonecfg_bind_pool(zone_dochandle_t, zoneid_t, char *, int);
 437  454  extern  boolean_t zonecfg_warn_poold(zone_dochandle_t);
 438  455  extern  int     zonecfg_get_poolname(zone_dochandle_t, char *, char *, size_t);
 439  456  
 440  457  /*
↓ open down ↓ 47 lines elided ↑ open up ↑
 488  505  extern  int     zonecfg_getmcapent(zone_dochandle_t, struct zone_mcaptab *);
 489  506  extern  int     zonecfg_getpkgdata(zone_dochandle_t, uu_avl_pool_t *,
 490  507      uu_avl_t *);
 491  508  extern  int     zonecfg_setdevperment(zone_dochandle_t);
 492  509  extern  int     zonecfg_getdevperment(zone_dochandle_t,
 493  510      struct zone_devpermtab *);
 494  511  extern  int     zonecfg_enddevperment(zone_dochandle_t);
 495  512  extern  int     zonecfg_setadminent(zone_dochandle_t);
 496  513  extern  int     zonecfg_getadminent(zone_dochandle_t, struct zone_admintab *);
 497  514  extern  int     zonecfg_endadminent(zone_dochandle_t);
      515 +extern  int     zonecfg_getsecflagsent(zone_dochandle_t,
      516 +    struct zone_secflagstab *);
 498  517  
 499  518  /*
 500  519   * Privilege-related functions.
 501  520   */
 502  521  extern  int     zonecfg_default_privset(priv_set_t *, const char *);
 503  522  extern  int     zonecfg_get_privset(zone_dochandle_t, priv_set_t *,
 504  523      char **);
 505  524  extern  int     zonecfg_get_limitpriv(zone_dochandle_t, char **);
 506  525  extern  int     zonecfg_set_limitpriv(zone_dochandle_t, char *);
 507  526  
↓ open down ↓ 93 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX