Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
*** 103,112 ****
--- 103,117 ----
rctl
Resource control.
+ security-flags
+
+ Process security flag settings.
+
+
Properties
Each resource type has one or more properties. There are also some
global properties, that is, properties of the configuration as a whole,
rather than of some particular resource.
*** 236,245 ****
--- 241,255 ----
capped-cpu
ncpus
+ security-flags
+
+ lower, default, upper.
+
+
As for the property values which are paired with these names, they are
either simple, complex, or lists. The type allowed is property-
specific. Simple values are strings, optionally enclosed within
quotation marks. Complex values have the syntax:
*** 530,539 ****
--- 540,556 ----
The capped-cpu property is an alias for zone.cpu-cap resource
control and is related to the zone.cpu-cap resource control. See
resource_controls(5).
+ security-flags: lower, default, upper
+
+ Set the process security flags associated with the zone. The lower
+ and upper fields set the limits, the default field is set of flags
+ all zone processes inherit.
+
+
global: fs-allowed
A comma-separated list of additional filesystems that may be
mounted within the zone; for example "ufs,pcfs". By default, only
hsfs(7fs) and network filesystems can be mounted. If the first
*** 589,598 ****
--- 606,618 ----
capped-memory physical simple with scale
swap simple with scale
locked simple with scale
capped-cpu ncpus simple
+ security-flags lower simple
+ default simple
+ upper simple
To further specify things, the breakdown of the complex property
*** 1272,1288 ****
SEE ALSO
ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
! privileges(5), resource_controls(5), zones(5)
System Administration Guide: Solaris Containers-Resource Management,
and Solaris Zones
NOTES
All character data used by zonecfg must be in US-ASCII encoding.
! February 28, 2014 ZONECFG(1M)
--- 1292,1308 ----
SEE ALSO
ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
! privileges(5), resource_controls(5), security-flags(5), zones(5)
System Administration Guide: Solaris Containers-Resource Management,
and Solaris Zones
NOTES
All character data used by zonecfg must be in US-ASCII encoding.
! June 6, 2016 ZONECFG(1M)