Print this page
uts: Allow for address space randomisation.
Randomise the base addresses of shared objects, non-fixed mappings, the
stack and the heap. Introduce a service, svc:/system/process-security,
and a tool psecflags(1) to control and observe it
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/lib/brand/sn1/zone/config.xml
+++ new/usr/src/lib/brand/sn1/zone/config.xml
1 1 <?xml version="1.0"?>
2 2
3 3 <!--
4 4 CDDL HEADER START
5 5
6 6 The contents of this file are subject to the terms of the
7 7 Common Development and Distribution License (the "License").
8 8 You may not use this file except in compliance with the License.
9 9
10 10 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11 11 or http://www.opensolaris.org/os/licensing.
12 12 See the License for the specific language governing permissions
13 13 and limitations under the License.
14 14
15 15 When distributing Covered Code, include this CDDL HEADER in each
16 16 file and include the License file at usr/src/OPENSOLARIS.LICENSE.
17 17 If applicable, add the following below this CDDL HEADER, with the
18 18 fields enclosed by brackets "[]" replaced with your own identifying
19 19 information: Portions Copyright [yyyy] [name of copyright owner]
20 20
21 21 CDDL HEADER END
22 22
23 23 Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
24 24
25 25 DO NOT EDIT THIS FILE.
26 26 -->
27 27
28 28 <!DOCTYPE brand PUBLIC "-//Sun Microsystems Inc//DTD Brands//EN"
29 29 "file:///usr/share/lib/xml/dtd/brand.dtd.1">
30 30
31 31 <brand name="sn1">
32 32 <modname>sn1_brand</modname>
33 33
34 34 <initname>/sbin/init</initname>
35 35 <login_cmd>/usr/bin/login -z %Z %u</login_cmd>
36 36 <forcedlogin_cmd>/usr/bin/login -z %Z -f %u</forcedlogin_cmd>
37 37
38 38 <user_cmd>/usr/bin/getent passwd %u</user_cmd>
39 39
40 40 <install>/usr/lib/brand/ipkg/pkgcreatezone -z %z -R %R</install>
41 41 <boot>/usr/lib/brand/sn1/sn1_boot %R</boot>
42 42 <sysboot>/usr/lib/brand/ipkg/prestate %z %R 2 0</sysboot>
43 43 <verify_cfg></verify_cfg>
44 44 <verify_adm></verify_adm>
45 45 <attach>/usr/lib/brand/ipkg/attach %z %R</attach>
46 46 <detach>/usr/lib/brand/ipkg/detach -z %z -R %R</detach>
47 47 <clone>/usr/lib/brand/ipkg/clone -z %z -R %R</clone>
48 48 <uninstall>/usr/lib/brand/ipkg/uninstall %z %R</uninstall>
49 49 <prestatechange>/usr/lib/brand/ipkg/prestate %z %R</prestatechange>
50 50 <poststatechange>/usr/lib/brand/ipkg/poststate %z %R</poststatechange>
51 51 <query>/usr/lib/brand/shared/query %z %R</query>
52 52
53 53 <privilege set="default" name="contract_event" />
54 54 <privilege set="default" name="contract_identity" />
55 55 <privilege set="default" name="contract_observer" />
56 56 <privilege set="default" name="file_chown" />
57 57 <privilege set="default" name="file_chown_self" />
58 58 <privilege set="default" name="file_dac_execute" />
59 59 <privilege set="default" name="file_dac_read" />
60 60 <privilege set="default" name="file_dac_search" />
61 61 <privilege set="default" name="file_dac_write" />
62 62 <privilege set="default" name="file_owner" />
63 63 <privilege set="default" name="file_setid" />
64 64 <privilege set="default" name="ipc_dac_read" />
65 65 <privilege set="default" name="ipc_dac_write" />
66 66 <privilege set="default" name="ipc_owner" />
67 67 <privilege set="default" name="net_bindmlp" />
↓ open down ↓ |
67 lines elided |
↑ open up ↑ |
68 68 <privilege set="default" name="net_icmpaccess" />
69 69 <privilege set="default" name="net_mac_aware" />
70 70 <privilege set="default" name="net_observability" />
71 71 <privilege set="default" name="net_privaddr" />
72 72 <privilege set="default" name="net_rawaccess" ip-type="exclusive" />
73 73 <privilege set="default" name="proc_chroot" />
74 74 <privilege set="default" name="sys_audit" />
75 75 <privilege set="default" name="proc_audit" />
76 76 <privilege set="default" name="proc_lock_memory" />
77 77 <privilege set="default" name="proc_owner" />
78 + <privilege set="default" name="proc_secflags" />
78 79 <privilege set="default" name="proc_setid" />
79 80 <privilege set="default" name="proc_taskid" />
80 81 <privilege set="default" name="sys_acct" />
81 82 <privilege set="default" name="sys_admin" />
82 83 <privilege set="default" name="sys_ip_config" ip-type="exclusive" />
83 84 <privilege set="default" name="sys_iptun_config" ip-type="exclusive" />
84 85 <privilege set="default" name="sys_mount" />
85 86 <privilege set="default" name="sys_nfs" />
86 87 <privilege set="default" name="sys_resource" />
87 88 <privilege set="default" name="sys_ppp_config" ip-type="exclusive" />
88 89
89 90 <privilege set="prohibited" name="dtrace_kernel" />
90 91 <privilege set="prohibited" name="proc_zone" />
91 92 <privilege set="prohibited" name="sys_config" />
92 93 <privilege set="prohibited" name="sys_devices" />
93 94 <privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
94 95 <privilege set="prohibited" name="sys_linkdir" />
95 96 <privilege set="prohibited" name="sys_net_config" />
96 97 <privilege set="prohibited" name="sys_res_config" />
97 98 <privilege set="prohibited" name="sys_suser_compat" />
98 99 <privilege set="prohibited" name="xvm_control" />
99 100 <privilege set="prohibited" name="virt_manage" />
100 101 <privilege set="prohibited" name="sys_ppp_config" ip-type="shared" />
101 102
102 103 <privilege set="required" name="proc_exec" />
103 104 <privilege set="required" name="proc_fork" />
104 105 <privilege set="required" name="sys_ip_config" ip-type="exclusive" />
105 106 <privilege set="required" name="sys_mount" />
106 107 </brand>
↓ open down ↓ |
19 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX