Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
@@ -103,10 +103,15 @@
rctl
Resource control.
+ security-flags
+
+ Process security flag settings.
+
+
Properties
Each resource type has one or more properties. There are also some
global properties, that is, properties of the configuration as a whole,
rather than of some particular resource.
@@ -236,10 +241,15 @@
capped-cpu
ncpus
+ security-flags
+
+ lower, default, upper.
+
+
As for the property values which are paired with these names, they are
either simple, complex, or lists. The type allowed is property-
specific. Simple values are strings, optionally enclosed within
quotation marks. Complex values have the syntax:
@@ -530,10 +540,17 @@
The capped-cpu property is an alias for zone.cpu-cap resource
control and is related to the zone.cpu-cap resource control. See
resource_controls(5).
+ security-flags: lower, default, upper
+
+ Set the process security flags associated with the zone. The lower
+ and upper fields set the limits, the default field is set of flags
+ all zone processes inherit.
+
+
global: fs-allowed
A comma-separated list of additional filesystems that may be
mounted within the zone; for example "ufs,pcfs". By default, only
hsfs(7fs) and network filesystems can be mounted. If the first
@@ -589,10 +606,13 @@
capped-memory physical simple with scale
swap simple with scale
locked simple with scale
capped-cpu ncpus simple
+ security-flags lower simple
+ default simple
+ upper simple
To further specify things, the breakdown of the complex property
@@ -1272,17 +1292,17 @@
SEE ALSO
ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
- privileges(5), resource_controls(5), zones(5)
+ privileges(5), resource_controls(5), security-flags(5), zones(5)
System Administration Guide: Solaris Containers-Resource Management,
and Solaris Zones
NOTES
All character data used by zonecfg must be in US-ASCII encoding.
- February 28, 2014 ZONECFG(1M)
+ June 6, 2016 ZONECFG(1M)