Print this page
uts: Allow for address space randomisation.
Randomise the base addresses of shared objects, non-fixed mappings, the
stack and the heap.  Introduce a service, svc:/system/process-security,
and a tool psecflags(1) to control and observe it

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/pam_modules/unix_cred/unix_cred.c
          +++ new/usr/src/lib/pam_modules/unix_cred/unix_cred.c
↓ open down ↓ 584 lines elided ↑ open up ↑
 585  585                  goto out;
 586  586          }
 587  587  
 588  588          if (def == NULL) {
 589  589                  def = priv_allocset();
 590  590                  if (def == NULL) {
 591  591                          ret = PAM_SYSTEM_ERR;
 592  592                          goto out;
 593  593                  }
 594  594                  priv_basicset(def);
      595 +                (void) priv_addset(def, PRIV_PROC_SECFLAGS);
 595  596                  errno = 0;
 596  597                  if ((pathconf("/", _PC_CHOWN_RESTRICTED) == -1) && (errno == 0))
 597  598                          (void) priv_addset(def, PRIV_FILE_CHOWN_SELF);
 598  599          }
 599  600          /*
 600  601           * Silently limit the privileges to those actually available
 601  602           * in the current zone.
 602  603           */
 603  604          tset = priv_allocset();
 604  605          if (tset == NULL) {
↓ open down ↓ 67 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX