Print this page
uts: Allow for address space randomisation.
Randomise the base addresses of shared objects, non-fixed mappings, the
stack and the heap. Introduce a service, svc:/system/process-security,
and a tool psecflags(1) to control and observe it
*** 65,74 ****
--- 65,75 ----
#include <sys/tspriocntl.h>
#include <sys/iapriocntl.h>
#include <sys/rtpriocntl.h>
#include <sys/fsspriocntl.h>
#include <sys/fxpriocntl.h>
+ #include <sys/proc.h>
#include <netdb.h>
#include <nss_dbdefs.h>
#include <sys/socketvar.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
*** 1598,1607 ****
--- 1599,1658 ----
prt_dec(pri, 0, PC_KY_NULL);
}
/*
+ * Print a psecflags(2) command
+ */
+ void
+ prt_psfcmd(private_t *pri, int raw, long val)
+ {
+ const char *s = NULL;
+
+ if (raw == 0) {
+ switch ((psecflags_cmd_t)val) {
+ case PSECFLAGS_SET:
+ s = "PSECFLAGS_SET";
+ break;
+ case PSECFLAGS_DISABLE:
+ s = "PSECFLAGS_DISABLE";
+ break;
+ case PSECFLAGS_ENABLE:
+ s = "PSECFLAGS_ENABLE";
+ break;
+ }
+ }
+
+ if (s == NULL)
+ prt_dec(pri, 0, val);
+ else
+ outstring(pri, s);
+ }
+
+ void
+ prt_psflags(private_t *pri, int raw, long val)
+ {
+ char *str = pri->code_buf;
+
+ if (raw == 1) {
+ prt_hex(pri, 0, val);
+ return;
+ }
+
+ *str = '\0';
+ if (val & PROC_SEC_ASLR) {
+ (void) strlcat(str, "|PROC_SEC_ASLR", sizeof (pri->code_buf));
+ val &= ~PROC_SEC_ASLR;
+ }
+
+ if (val != 0)
+ (void) snprintf(str, sizeof (pri->code_buf), "%s|%x", str, val);
+
+ outstring(pri, str + 1);
+ }
+
+ /*
* Print processor set id, including logical expansion of "special" ids.
*/
void
prt_pst(private_t *pri, int raw, long val)
{
*** 2868,2874 ****
--- 2919,2927 ----
prt_snf, /* SNF -- print AT_SYMLINK_[NO]FOLLOW flag */
prt_skc, /* SKC -- print sockconfig() subcode */
prt_acf, /* ACF -- print accept4 flags */
prt_pfd, /* PFD -- print pipe fds */
prt_grf, /* GRF -- print getrandom flags */
+ prt_psfcmd, /* PSFCMD -- print psecflags(2) command */
+ prt_psflags, /* PSFLG -- print psecflags(2) flags */
prt_dec, /* HID -- hidden argument, make this the last one */
};