Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
@@ -2046,10 +2046,11 @@
zone0.zone_name = GLOBAL_ZONENAME;
zone0.zone_nodename = utsname.nodename;
zone0.zone_domain = srpc_domain;
zone0.zone_hostid = HW_INVALID_HOSTID;
zone0.zone_fs_allowed = NULL;
+ psecflags_default(&zone0.zone_secflags);
zone0.zone_ref = 1;
zone0.zone_id = GLOBAL_ZONEID;
zone0.zone_status = ZONE_IS_RUNNING;
zone0.zone_rootpath = "/";
zone0.zone_rootpathlen = 2;
@@ -2493,10 +2494,36 @@
mutex_exit(&zone_status_lock);
return (0);
}
static int
+zone_set_secflags(zone_t *zone, const psecflags_t *zone_secflags)
+{
+ int err = 0;
+ psecflags_t psf;
+
+ ASSERT(zone != global_zone);
+
+ if ((err = copyin(zone_secflags, &psf, sizeof (psf))) != 0)
+ return (err);
+
+ if (zone_status_get(zone) > ZONE_IS_READY)
+ return (EINVAL);
+
+ if (!psecflags_validate(&psf))
+ return (EINVAL);
+
+ (void) memcpy(&zone->zone_secflags, &psf, sizeof (psf));
+
+ /* Set security flags on the zone's zsched */
+ (void) memcpy(&zone->zone_zsched->p_secflags, &zone->zone_secflags,
+ sizeof (zone->zone_zsched->p_secflags));
+
+ return (0);
+}
+
+static int
zone_set_fs_allowed(zone_t *zone, const char *zone_fs_allowed)
{
char *buf = kmem_zalloc(ZONE_FS_ALLOWED_MAX, KM_SLEEP);
int err = 0;
@@ -3954,10 +3981,11 @@
if (rctl_local_insert(hndl, nvalp, pp) != 0)
kmem_cache_free(rctl_val_cache, nvalp);
mutex_exit(&pp->p_lock);
}
}
+
/*
* Tell the world that we're done setting up.
*
* At this point we want to set the zone status to ZONE_IS_INITIALIZED
* and atomically set the zone's processor set visibility. Once
@@ -4237,11 +4265,12 @@
nvlist_free(nvl);
return (error);
}
int
-zone_create_error(int er_error, int er_ext, int *er_out) {
+zone_create_error(int er_error, int er_ext, int *er_out)
+{
if (er_out != NULL) {
if (copyout(&er_ext, er_out, sizeof (int))) {
return (set_errno(EFAULT));
}
}
@@ -4407,10 +4436,16 @@
zone->zone_ipc.ipcq_shmmni = 0;
zone->zone_ipc.ipcq_semmni = 0;
zone->zone_ipc.ipcq_msgmni = 0;
zone->zone_bootargs = NULL;
zone->zone_fs_allowed = NULL;
+
+ secflags_zero(&zone0.zone_secflags.psf_lower);
+ secflags_zero(&zone0.zone_secflags.psf_effective);
+ secflags_zero(&zone0.zone_secflags.psf_inherit);
+ secflags_fullset(&zone0.zone_secflags.psf_upper);
+
zone->zone_initname =
kmem_alloc(strlen(zone_default_initname) + 1, KM_SLEEP);
(void) strcpy(zone->zone_initname, zone_default_initname);
zone->zone_nlwps = 0;
zone->zone_nlwps_ctl = INT_MAX;
@@ -5528,10 +5563,17 @@
err = copyoutstr(outstr, buf, bufsize, NULL);
if (err != 0 && err != ENAMETOOLONG)
error = EFAULT;
}
break;
+ case ZONE_ATTR_SECFLAGS:
+ size = sizeof (zone->zone_secflags);
+ if (bufsize > size)
+ bufsize = size;
+ if ((err = copyout(&zone->zone_secflags, buf, bufsize)) != 0)
+ error = EFAULT;
+ break;
case ZONE_ATTR_NETWORK:
zbuf = kmem_alloc(bufsize, KM_SLEEP);
if (copyin(buf, zbuf, bufsize) != 0) {
error = EFAULT;
} else {
@@ -5612,10 +5654,13 @@
err = zone_set_brand(zone, (const char *)buf);
break;
case ZONE_ATTR_FS_ALLOWED:
err = zone_set_fs_allowed(zone, (const char *)buf);
break;
+ case ZONE_ATTR_SECFLAGS:
+ err = zone_set_secflags(zone, (psecflags_t *)buf);
+ break;
case ZONE_ATTR_PHYS_MCAP:
err = zone_set_phys_mcap(zone, (const uint64_t *)buf);
break;
case ZONE_ATTR_SCHED_CLASS:
err = zone_set_sched_class(zone, (const char *)buf);