Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

Split Close
Expand all
Collapse all
          --- old/usr/src/cmd/svc/svccfg/svccfg_xml.c
          +++ new/usr/src/cmd/svc/svccfg/svccfg_xml.c
↓ open down ↓ 1006 lines elided ↑ open up ↑
1007 1007                  return (-1);
1008 1008  
1009 1009          if (new_opt_str_prop_from_attr(pg, SCF_PROPERTY_PROJECT,
1010 1010              SCF_TYPE_ASTRING, ctx, "project", NULL) != 0)
1011 1011                  return (-1);
1012 1012  
1013 1013          if (new_opt_str_prop_from_attr(pg, SCF_PROPERTY_RESOURCE_POOL,
1014 1014              SCF_TYPE_ASTRING, ctx, "resource_pool", NULL) != 0)
1015 1015                  return (-1);
1016 1016  
     1017 +        if (new_opt_str_prop_from_attr(pg, SCF_PROPERTY_SECFLAGS,
     1018 +            SCF_TYPE_ASTRING, ctx, "security_flags", NULL) != 0)
     1019 +                return (-1);
     1020 +
1017 1021          for (cursor = ctx->xmlChildrenNode; cursor != NULL;
1018 1022              cursor = cursor->next) {
1019 1023                  if (lxml_ignorable_block(cursor))
1020 1024                          continue;
1021 1025  
1022 1026                  switch (lxml_xlate_element(cursor->name)) {
1023 1027                  case SC_METHOD_CREDENTIAL:
1024 1028                          (void) lxml_get_method_credential(pg, cursor);
1025 1029                          break;
1026 1030                  case SC_METHOD_PROFILE:
↓ open down ↓ 66 lines elided ↑ open up ↑
1093 1097                      SCF_TYPE_COUNT, 1, u_timeout);
1094 1098                  r = internal_attach_property(pg, p);
1095 1099                  xmlFree(timeout);
1096 1100          }
1097 1101          if (r != 0)
1098 1102                  return (-1);
1099 1103  
1100 1104          /*
1101 1105           * There is a possibility that a method context also exists, in which
1102 1106           * case the following attributes are defined: project, resource_pool,
1103      -         * working_directory, profile, user, group, privileges, limit_privileges
     1107 +         * working_directory, profile, user, group, privileges,
     1108 +         * limit_privileges, security_flags
1104 1109           */
1105 1110          for (cursor = emeth->xmlChildrenNode; cursor != NULL;
1106 1111              cursor = cursor->next) {
1107 1112                  if (lxml_ignorable_block(cursor))
1108 1113                          continue;
1109 1114  
1110 1115                  switch (lxml_xlate_element(cursor->name)) {
1111 1116                  case SC_STABILITY:
1112 1117                          if (lxml_get_pgroup_stability(pg, cursor) != 0)
1113 1118                                  return (-1);
↓ open down ↓ 2232 lines elided ↑ open up ↑
3346 3351   * and has a manifestfiles property group then the import
3347 3352   * process can handle the manifestfiles property group
3348 3353   * work.
3349 3354   *
3350 3355   * This prevents potential cleanup of unaccounted for instances
3351 3356   * in early manifest import due to upgrade process needing
3352 3357   * information that has not yet been supplied by manifests
3353 3358   * that are still located in the /var/svc manifests directory.
3354 3359   */
3355 3360  static int
3356      -lxml_check_upgrade(const char *service) {
     3361 +lxml_check_upgrade(const char *service)
     3362 +{
3357 3363          scf_handle_t    *h = NULL;
3358 3364          scf_scope_t     *sc = NULL;
3359 3365          scf_service_t   *svc = NULL;
3360 3366          scf_propertygroup_t     *pg = NULL;
3361 3367          int rc = SCF_FAILED;
3362 3368  
3363 3369          if ((h = scf_handle_create(SCF_VERSION)) == NULL ||
3364 3370              (sc = scf_scope_create(h)) == NULL ||
3365 3371              (svc = scf_service_create(h)) == NULL ||
3366 3372              (pg = scf_pg_create(h)) == NULL)
↓ open down ↓ 458 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX