Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 103,112 **** --- 103,117 ---- rctl Resource control. + security-flags + + Process security flag settings. + + Properties Each resource type has one or more properties. There are also some global properties, that is, properties of the configuration as a whole, rather than of some particular resource.
*** 236,245 **** --- 241,255 ---- capped-cpu ncpus + security-flags + + lower, default, upper. + + As for the property values which are paired with these names, they are either simple, complex, or lists. The type allowed is property- specific. Simple values are strings, optionally enclosed within quotation marks. Complex values have the syntax:
*** 530,539 **** --- 540,556 ---- The capped-cpu property is an alias for zone.cpu-cap resource control and is related to the zone.cpu-cap resource control. See resource_controls(5). + security-flags: lower, default, upper + + Set the process security flags associated with the zone. The lower + and upper fields set the limits, the default field is set of flags + all zone processes inherit. + + global: fs-allowed A comma-separated list of additional filesystems that may be mounted within the zone; for example "ufs,pcfs". By default, only hsfs(7fs) and network filesystems can be mounted. If the first
*** 589,598 **** --- 606,618 ---- capped-memory physical simple with scale swap simple with scale locked simple with scale capped-cpu ncpus simple + security-flags lower simple + default simple + upper simple To further specify things, the breakdown of the complex property
*** 1272,1288 **** SEE ALSO ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M), poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M), sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C), kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5), ! privileges(5), resource_controls(5), zones(5) System Administration Guide: Solaris Containers-Resource Management, and Solaris Zones NOTES All character data used by zonecfg must be in US-ASCII encoding. ! February 28, 2014 ZONECFG(1M) --- 1292,1308 ---- SEE ALSO ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M), poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M), sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C), kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5), ! privileges(5), resource_controls(5), security-flags(5), zones(5) System Administration Guide: Solaris Containers-Resource Management, and Solaris Zones NOTES All character data used by zonecfg must be in US-ASCII encoding. ! June 6, 2016 ZONECFG(1M)