Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 2046,2055 **** --- 2046,2056 ---- zone0.zone_name = GLOBAL_ZONENAME; zone0.zone_nodename = utsname.nodename; zone0.zone_domain = srpc_domain; zone0.zone_hostid = HW_INVALID_HOSTID; zone0.zone_fs_allowed = NULL; + psecflags_default(&zone0.zone_secflags); zone0.zone_ref = 1; zone0.zone_id = GLOBAL_ZONEID; zone0.zone_status = ZONE_IS_RUNNING; zone0.zone_rootpath = "/"; zone0.zone_rootpathlen = 2;
*** 2493,2502 **** --- 2494,2529 ---- mutex_exit(&zone_status_lock); return (0); } static int + zone_set_secflags(zone_t *zone, const psecflags_t *zone_secflags) + { + int err = 0; + psecflags_t psf; + + ASSERT(zone != global_zone); + + if ((err = copyin(zone_secflags, &psf, sizeof (psf))) != 0) + return (err); + + if (zone_status_get(zone) > ZONE_IS_READY) + return (EINVAL); + + if (!psecflags_validate(&psf)) + return (EINVAL); + + (void) memcpy(&zone->zone_secflags, &psf, sizeof (psf)); + + /* Set security flags on the zone's zsched */ + (void) memcpy(&zone->zone_zsched->p_secflags, &zone->zone_secflags, + sizeof (zone->zone_zsched->p_secflags)); + + return (0); + } + + static int zone_set_fs_allowed(zone_t *zone, const char *zone_fs_allowed) { char *buf = kmem_zalloc(ZONE_FS_ALLOWED_MAX, KM_SLEEP); int err = 0;
*** 3954,3963 **** --- 3981,3991 ---- if (rctl_local_insert(hndl, nvalp, pp) != 0) kmem_cache_free(rctl_val_cache, nvalp); mutex_exit(&pp->p_lock); } } + /* * Tell the world that we're done setting up. * * At this point we want to set the zone status to ZONE_IS_INITIALIZED * and atomically set the zone's processor set visibility. Once
*** 4237,4247 **** nvlist_free(nvl); return (error); } int ! zone_create_error(int er_error, int er_ext, int *er_out) { if (er_out != NULL) { if (copyout(&er_ext, er_out, sizeof (int))) { return (set_errno(EFAULT)); } } --- 4265,4276 ---- nvlist_free(nvl); return (error); } int ! zone_create_error(int er_error, int er_ext, int *er_out) ! { if (er_out != NULL) { if (copyout(&er_ext, er_out, sizeof (int))) { return (set_errno(EFAULT)); } }
*** 4407,4416 **** --- 4436,4451 ---- zone->zone_ipc.ipcq_shmmni = 0; zone->zone_ipc.ipcq_semmni = 0; zone->zone_ipc.ipcq_msgmni = 0; zone->zone_bootargs = NULL; zone->zone_fs_allowed = NULL; + + secflags_zero(&zone0.zone_secflags.psf_lower); + secflags_zero(&zone0.zone_secflags.psf_effective); + secflags_zero(&zone0.zone_secflags.psf_inherit); + secflags_fullset(&zone0.zone_secflags.psf_upper); + zone->zone_initname = kmem_alloc(strlen(zone_default_initname) + 1, KM_SLEEP); (void) strcpy(zone->zone_initname, zone_default_initname); zone->zone_nlwps = 0; zone->zone_nlwps_ctl = INT_MAX;
*** 5528,5537 **** --- 5563,5579 ---- err = copyoutstr(outstr, buf, bufsize, NULL); if (err != 0 && err != ENAMETOOLONG) error = EFAULT; } break; + case ZONE_ATTR_SECFLAGS: + size = sizeof (zone->zone_secflags); + if (bufsize > size) + bufsize = size; + if ((err = copyout(&zone->zone_secflags, buf, bufsize)) != 0) + error = EFAULT; + break; case ZONE_ATTR_NETWORK: zbuf = kmem_alloc(bufsize, KM_SLEEP); if (copyin(buf, zbuf, bufsize) != 0) { error = EFAULT; } else {
*** 5612,5621 **** --- 5654,5666 ---- err = zone_set_brand(zone, (const char *)buf); break; case ZONE_ATTR_FS_ALLOWED: err = zone_set_fs_allowed(zone, (const char *)buf); break; + case ZONE_ATTR_SECFLAGS: + err = zone_set_secflags(zone, (psecflags_t *)buf); + break; case ZONE_ATTR_PHYS_MCAP: err = zone_set_phys_mcap(zone, (const uint64_t *)buf); break; case ZONE_ATTR_SCHED_CLASS: err = zone_set_sched_class(zone, (const char *)buf);