Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/libzonecfg/dtd/zonecfg.dtd.1
          +++ new/usr/src/lib/libzonecfg/dtd/zonecfg.dtd.1
↓ open down ↓ 134 lines elided ↑ open up ↑
 135  135  
 136  136  <!ELEMENT mcap          EMPTY>
 137  137  
 138  138  <!ATTLIST mcap          physcap         CDATA #REQUIRED>
 139  139  
 140  140  <!ELEMENT admin         EMPTY>
 141  141  
 142  142  <!ATTLIST admin         user            CDATA #REQUIRED
 143  143                          auths           CDATA #REQUIRED>
 144  144  
      145 +<!ELEMENT security-flags        EMPTY>
      146 +
      147 +<!ATTLIST security-flags        default         CDATA ""
      148 +                        lower           CDATA ""
      149 +                        upper           CDATA "">
      150 +
 145  151  <!ELEMENT zone          (filesystem | inherited-pkg-dir | network | device |
 146  152                          deleted-device | rctl | attr | dataset | package |
 147  153                          patch | dev-perm | tmp_pool | pset |
 148      -                        mcap | admin)*>
      154 +                        mcap | admin | security-flags)*>
 149  155  
 150  156  <!ATTLIST zone          name            CDATA #REQUIRED
 151  157                          zonepath        CDATA #REQUIRED
 152  158                          autoboot        (true | false) #REQUIRED
 153  159                          ip-type         CDATA ""
 154  160                          hostid          CDATA ""
 155  161                          pool            CDATA ""
 156  162                          limitpriv       CDATA ""
 157  163                          bootargs        CDATA ""
 158  164                          brand           CDATA ""
 159  165                          scheduling-class        CDATA ""
 160  166                          fs-allowed      CDATA ""
 161  167                          version         NMTOKEN #FIXED '1'>
    
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX