Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -1,25 +1,23 @@
 '\" te
 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with
 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH SMF_METHOD 5 "May 20, 2009"
+.TH SMF_METHOD 5 "June 6, 2016"
 .SH NAME
 smf_method \- service management framework conventions for methods
 .SH DESCRIPTION
-.sp
 .LP
 The class of services managed by \fBsvc.startd\fR(1M) in the service management
 framework, \fBsmf\fR(5), consists of applications that fit a simple
 \fBfork\fR(2)-\fBexec\fR(2) model. The \fBsvc.startd\fR(1M) master daemon and
 other restarters support the \fBfork\fR(2)-\fBexec\fR(2) model, potentially
 with additional capabilities. The \fBsvc.startd\fR(1M) daemon and other
 restarters require that the methods which activate, manipulate, or examine a
 service instance follow the conventions described in this manual page.
 .SS "Invocation form"
-.sp
 .LP
 The form of a method invocation is not dictated by convention. In some cases, a
 method invocation might consist of the direct invocation of the daemon or other
 binary executable that provides the service. For cases in which an executable
 script or other mediating executable is used, the convention recommends the

@@ -41,11 +39,10 @@
 .LP
 A restarter might define other kinds of methods beyond those referenced in this
 page. The conventions surrounding such extensions are defined by the restarter
 and might not be identical to those given here.
 .SS "Environment Variables"
-.sp
 .LP
 The restarter provides four environment variables to the method that determine
 the context in which the method is invoked.
 .sp
 .ne 2

@@ -98,11 +95,10 @@
 .sp
 .LP
 The method context can cause other environment variables to be set as described
 below.
 .SS "Method Definition"
-.sp
 .LP
 A method is defined minimally by three properties in a propertygroup of type
 \fBmethod\fR.
 .sp
 .LP

@@ -138,11 +134,10 @@
 .sp
 .LP
 A Method Context can be defined to further refine the execution environment of
 the method. See the \fBMethod Context\fR section for more information.
 .SS "Method Tokens"
-.sp
 .LP
 When defined in the \fBexec\fR string of the method by the restarter
 \fBsvc.startd\fR, a set of tokens are parsed and expanded with appropriate
 value. Other restarters might not support method tokens. The delegated
 restarter for inet services, \fBinetd\fR(1M), does not support the following

@@ -256,11 +251,10 @@
 are required by the restarter but which are unnecessary for the particular
 service implementation.
 .RE
 
 .SS "Exiting and Exit Status"
-.sp
 .LP
 The required behavior of a start method is to delay exiting until the service
 instance is ready to answer requests or is otherwise functional.
 .sp
 .LP

@@ -296,11 +290,10 @@
 .LP
 Use of a precise exit code allows the responsible restarter to categorize an
 error response as likely to be intermittent and worth pursuing restart or
 permanent and request administrative intervention.
 .SS "Timeouts"
-.sp
 .LP
 Each method can have an independent timeout, given in seconds. The choice of a
 particular timeout should be based on site expectations for detecting a method
 failure due to non-responsiveness. Sites with replicated filesystems or other
 failover resources can elect to lengthen method timeouts from the default.

@@ -313,11 +306,10 @@
 preferred, but is available for services that absolutely require it.
 .sp
 .LP
 \fB-1 timeout_seconds\fR is also accepted, but is a deprecated specification.
 .SS "Shell Programming Support"
-.sp
 .LP
 A set of environment variables that define the above exit status values is
 provided with convenience shell functions in the file
 \fB/lib/svc/share/smf_include.sh\fR. This file is a Bourne shell script
 suitable for inclusion via the source operator in any Bourne-compatible shell.

@@ -347,11 +339,10 @@
 
 .sp
 .LP
 This example shows the use of both convenience functions that are provided.
 .SS "Method Context"
-.sp
 .LP
 The service management facility offers a common mechanism set the context in
 which the \fBfork\fR(2)-\fBexec\fR(2) model services execute.
 .sp
 .LP

@@ -461,10 +452,30 @@
 .RE
 
 .sp
 .ne 2
 .na
+\fB\fBsecurity_flags\fR\fR
+.ad
+.sp .6
+.RS 4n
+The security flags to apply when launching the method.  See \fBsecurity-flags\fR(5).
+.sp
+.LP
+The "default" keyword specifies those flags specified in
+\fBsvc:/system/process-security\fR.  The "all" keyword enables all flags, the
+"none" keyword enables no flags.  Further flags may be added by specifying
+their name, or removed by specifying their name prefixed by '-' or '!'.
+.sp
+.LP
+Use of "all" has associated risks, as future versions of the system may
+include further flags which may harm poorly implemented software.
+.RE
+
+.sp
+.ne 2
+.na
 \fB\fBcorefile_pattern\fR\fR
 .ad
 .sp .6
 .RS 4n
 An optional string that specifies the corefile pattern to use for the service,

@@ -532,11 +543,10 @@
 File descriptor \fB0\fR is \fB/dev/null\fR. File descriptors \fB1\fR and
 \fB2\fR are recommended to be a per-service log file.
 .RE
 
 .SH FILES
-.sp
 .ne 2
 .na
 \fB\fB/lib/svc/share/smf_include.sh\fR\fR
 .ad
 .sp .6

@@ -553,19 +563,18 @@
 .RS 4n
 Definitions of exit status codes.
 .RE
 
 .SH SEE ALSO
-.sp
 .LP
 \fBzonename\fR(1), \fBcoreadm\fR(1M), \fBinetd\fR(1M), \fBsvccfg\fR(1M),
 \fBsvc.startd\fR(1M), \fBexec\fR(2), \fBfork\fR(2),
 \fBgetdefaultproj\fR(3PROJECT), \fBexec_attr\fR(4), \fBproject\fR(4),
 \fBservice_bundle\fR(4), \fBattributes\fR(5), \fBprivileges\fR(5),
-\fBrbac\fR(5), \fBsmf\fR(5), \fBsmf_bootstrap\fR(5), \fBzones\fR(5)
+\fBrbac\fR(5), \fBsmf\fR(5), \fBsmf_bootstrap\fR(5), \fBzones\fR(5),
+\fBsecurity-flags\fR(5)
 .SH NOTES
-.sp
 .LP
 The present version of \fBsmf\fR(5) does not support multiple repositories.
 .sp
 .LP
 When a service is configured to be started as root but with privileges