Print this page
uts: Allow for address space randomisation.
Randomise the base addresses of shared objects, non-fixed mappings, the
stack and the heap.  Introduce a service, svc:/system/process-security,
and a tool psecflags(1) to control and observe it


  65         <privilege set="default" name="file_dac_execute" />
  66         <privilege set="default" name="file_dac_read" />
  67         <privilege set="default" name="file_dac_search" />
  68         <privilege set="default" name="file_dac_write" />
  69         <privilege set="default" name="file_owner" />
  70         <privilege set="default" name="file_setid" />
  71         <privilege set="default" name="ipc_dac_read" />
  72         <privilege set="default" name="ipc_dac_write" />
  73         <privilege set="default" name="ipc_owner" />
  74         <privilege set="default" name="net_bindmlp" />
  75         <privilege set="default" name="net_icmpaccess" />
  76         <privilege set="default" name="net_mac_aware" />
  77         <privilege set="default" name="net_observability" />
  78         <privilege set="default" name="net_privaddr" />
  79         <privilege set="default" name="net_rawaccess" ip-type="exclusive" />
  80         <privilege set="default" name="proc_chroot" />
  81         <privilege set="default" name="sys_audit" />
  82         <privilege set="default" name="proc_audit" />
  83         <privilege set="default" name="proc_lock_memory" />
  84         <privilege set="default" name="proc_owner" />

  85         <privilege set="default" name="proc_setid" />
  86         <privilege set="default" name="proc_taskid" />
  87         <privilege set="default" name="sys_acct" />
  88         <privilege set="default" name="sys_admin" />
  89         <privilege set="default" name="sys_ip_config" ip-type="exclusive" />
  90         <privilege set="default" name="sys_iptun_config" ip-type="exclusive" />
  91         <privilege set="default" name="sys_mount" />
  92         <privilege set="default" name="sys_nfs" />
  93         <privilege set="default" name="sys_resource" />
  94         <privilege set="default" name="sys_ppp_config" ip-type="exclusive" />
  95 
  96         <privilege set="prohibited" name="dtrace_kernel" />
  97         <privilege set="prohibited" name="proc_zone" />
  98         <privilege set="prohibited" name="sys_config" />
  99         <privilege set="prohibited" name="sys_devices" />
 100         <privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
 101         <privilege set="prohibited" name="sys_linkdir" />
 102         <privilege set="prohibited" name="sys_net_config" />
 103         <privilege set="prohibited" name="sys_res_config" />
 104         <privilege set="prohibited" name="sys_suser_compat" />


  65         <privilege set="default" name="file_dac_execute" />
  66         <privilege set="default" name="file_dac_read" />
  67         <privilege set="default" name="file_dac_search" />
  68         <privilege set="default" name="file_dac_write" />
  69         <privilege set="default" name="file_owner" />
  70         <privilege set="default" name="file_setid" />
  71         <privilege set="default" name="ipc_dac_read" />
  72         <privilege set="default" name="ipc_dac_write" />
  73         <privilege set="default" name="ipc_owner" />
  74         <privilege set="default" name="net_bindmlp" />
  75         <privilege set="default" name="net_icmpaccess" />
  76         <privilege set="default" name="net_mac_aware" />
  77         <privilege set="default" name="net_observability" />
  78         <privilege set="default" name="net_privaddr" />
  79         <privilege set="default" name="net_rawaccess" ip-type="exclusive" />
  80         <privilege set="default" name="proc_chroot" />
  81         <privilege set="default" name="sys_audit" />
  82         <privilege set="default" name="proc_audit" />
  83         <privilege set="default" name="proc_lock_memory" />
  84         <privilege set="default" name="proc_owner" />
  85         <privilege set="default" name="proc_secflags" />
  86         <privilege set="default" name="proc_setid" />
  87         <privilege set="default" name="proc_taskid" />
  88         <privilege set="default" name="sys_acct" />
  89         <privilege set="default" name="sys_admin" />
  90         <privilege set="default" name="sys_ip_config" ip-type="exclusive" />
  91         <privilege set="default" name="sys_iptun_config" ip-type="exclusive" />
  92         <privilege set="default" name="sys_mount" />
  93         <privilege set="default" name="sys_nfs" />
  94         <privilege set="default" name="sys_resource" />
  95         <privilege set="default" name="sys_ppp_config" ip-type="exclusive" />
  96 
  97         <privilege set="prohibited" name="dtrace_kernel" />
  98         <privilege set="prohibited" name="proc_zone" />
  99         <privilege set="prohibited" name="sys_config" />
 100         <privilege set="prohibited" name="sys_devices" />
 101         <privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
 102         <privilege set="prohibited" name="sys_linkdir" />
 103         <privilege set="prohibited" name="sys_net_config" />
 104         <privilege set="prohibited" name="sys_res_config" />
 105         <privilege set="prohibited" name="sys_suser_compat" />