Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


  20  */
  21 
  22 /*
  23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  24  * Use is subject to license terms.
  25  */
  26 
  27 /*
  28  * This file contains high level functions used by multiple utilities.
  29  */
  30 
  31 #include "libscf_impl.h"
  32 
  33 #include <assert.h>
  34 #include <libuutil.h>
  35 #include <string.h>
  36 #include <stdlib.h>
  37 #include <sys/systeminfo.h>
  38 #include <sys/uadmin.h>
  39 #include <sys/utsname.h>

  40 
  41 #ifdef  __x86
  42 #include <smbios.h>
  43 
  44 /*
  45  * Check whether the platform is on the fastreboot_blacklist.
  46  * Return 1 if the platform has been blacklisted, 0 otherwise.
  47  */
  48 static int
  49 scf_is_fb_blacklisted(void)
  50 {
  51         smbios_hdl_t *shp;
  52         smbios_system_t sys;
  53         smbios_info_t info;
  54 
  55         id_t id;
  56         int err;
  57         int i;
  58 
  59         scf_simple_prop_t *prop = NULL;


 336         /*
 337          * If we are on xVM, do not fast reboot by default.
 338          */
 339         if (sysinfo(SI_PLATFORM, procbuf, sizeof (procbuf)) == -1 ||
 340             strcmp(procbuf, "i86xpv") == 0)
 341                 return (0);
 342 
 343         /*
 344          * Get property values from "config" property group
 345          */
 346         scf_get_boot_config(&boot_config);
 347 
 348         /*
 349          * Get property values from non-persistent "config_ovr" property group
 350          */
 351         boot_config_ovr = boot_config;
 352         scf_get_boot_config_ovr(&boot_config_ovr);
 353 
 354         return (boot_config & boot_config_ovr & UA_FASTREBOOT_DEFAULT);
 355 }

























































































  20  */
  21 
  22 /*
  23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  24  * Use is subject to license terms.
  25  */
  26 
  27 /*
  28  * This file contains high level functions used by multiple utilities.
  29  */
  30 
  31 #include "libscf_impl.h"
  32 
  33 #include <assert.h>
  34 #include <libuutil.h>
  35 #include <string.h>
  36 #include <stdlib.h>
  37 #include <sys/systeminfo.h>
  38 #include <sys/uadmin.h>
  39 #include <sys/utsname.h>
  40 #include <sys/secflags.h>
  41 
  42 #ifdef  __x86
  43 #include <smbios.h>
  44 
  45 /*
  46  * Check whether the platform is on the fastreboot_blacklist.
  47  * Return 1 if the platform has been blacklisted, 0 otherwise.
  48  */
  49 static int
  50 scf_is_fb_blacklisted(void)
  51 {
  52         smbios_hdl_t *shp;
  53         smbios_system_t sys;
  54         smbios_info_t info;
  55 
  56         id_t id;
  57         int err;
  58         int i;
  59 
  60         scf_simple_prop_t *prop = NULL;


 337         /*
 338          * If we are on xVM, do not fast reboot by default.
 339          */
 340         if (sysinfo(SI_PLATFORM, procbuf, sizeof (procbuf)) == -1 ||
 341             strcmp(procbuf, "i86xpv") == 0)
 342                 return (0);
 343 
 344         /*
 345          * Get property values from "config" property group
 346          */
 347         scf_get_boot_config(&boot_config);
 348 
 349         /*
 350          * Get property values from non-persistent "config_ovr" property group
 351          */
 352         boot_config_ovr = boot_config;
 353         scf_get_boot_config_ovr(&boot_config_ovr);
 354 
 355         return (boot_config & boot_config_ovr & UA_FASTREBOOT_DEFAULT);
 356 }
 357 
 358 /*
 359  * Read the default security-flags from system/process-security and return a
 360  * secflagset_t suitable for psecflags(2)
 361  *
 362  * Unfortunately, this symbol must _exist_ in the native build, for the sake
 363  * of the mapfile, even though we don't ever use it, and it will never work.
 364  */
 365 struct group_desc {
 366         secflagset_t *set;
 367         char *fmri;
 368 };
 369 
 370 int
 371 scf_default_secflags(scf_handle_t *hndl, psecflags_t *flags)
 372 {
 373 #if !defined(NATIVE_BUILD)
 374         scf_property_t *prop;
 375         scf_value_t *val;
 376         const char *flagname;
 377         int flag;
 378         struct group_desc *g;
 379         struct group_desc groups[] = {
 380                 {NULL, "svc:/system/process-security/"
 381                     ":properties/default"},
 382                 {NULL, "svc:/system/process-security/"
 383                     ":properties/lower"},
 384                 {NULL, "svc:/system/process-security/"
 385                     ":properties/upper"},
 386                 {NULL, NULL}
 387         };
 388 
 389         groups[0].set = &flags->psf_inherit;
 390         groups[1].set = &flags->psf_lower;
 391         groups[2].set = &flags->psf_upper;
 392 
 393         /* Ensure sane defaults */
 394         psecflags_default(flags);
 395 
 396         for (g = groups; g->set != NULL; g++) {
 397                 for (flag = 0; (flagname = secflag_to_str(flag)) != NULL;
 398                     flag++) {
 399                         char *pfmri;
 400                         uint8_t flagval = 0;
 401 
 402                         if ((val = scf_value_create(hndl)) == NULL)
 403                                 return (-1);
 404 
 405                         if ((prop = scf_property_create(hndl)) == NULL) {
 406                                 scf_value_destroy(val);
 407                                 return (-1);
 408                         }
 409 
 410                         if ((pfmri = uu_msprintf("%s/%s", g->fmri,
 411                             flagname)) == NULL)
 412                                 uu_die("Allocation failure\n");
 413 
 414                         if (scf_handle_decode_fmri(hndl, pfmri,
 415                             NULL, NULL, NULL, NULL, prop, NULL) != 0)
 416                                 goto next;
 417 
 418                         if (scf_property_get_value(prop, val) != 0)
 419                                 goto next;
 420 
 421                         (void) scf_value_get_boolean(val, &flagval);
 422 
 423                         if (flagval != 0)
 424                                 secflag_set(g->set, flag);
 425                         else
 426                                 secflag_clear(g->set, flag);
 427 
 428 next:
 429                         uu_free(pfmri);
 430                         scf_value_destroy(val);
 431                         scf_property_destroy(prop);
 432                 }
 433         }
 434 
 435         if (!psecflags_validate(flags))
 436                 return (-1);
 437 
 438         return (0);
 439 #else
 440         assert(0);
 441         abort();
 442 #endif /* !NATIVE_BUILD */
 443 }