Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -305,10 +305,28 @@
            used as a token to indicate the home directory of the user whose
            uid is used to launch the method. If the property is unset, :home
            is used.
 
 
+       security_flags
+
+           The security flags to apply when launching the method.  See
+           security-flags(5).
+
+
+           The "default" keyword specifies those flags specified in
+           svc:/system/process-security.  The "all" keyword enables all flags,
+           the "none" keyword enables no flags.  Further flags may be added by
+           specifying their name, or removed by specifying their name prefixed
+           by '-' or '!'.
+
+
+           Use of "all" has associated risks, as future versions of the system
+           may include further flags which may harm poorly implemented
+           software.
+
+
        corefile_pattern
 
            An optional string that specifies the corefile pattern to use for
            the service, as per coreadm(1M). Most restarters supply a default.
            Setting this property overrides local customizations to the global

@@ -370,11 +388,11 @@
 
 SEE ALSO
        zonename(1), coreadm(1M), inetd(1M), svccfg(1M), svc.startd(1M),
        exec(2), fork(2), getdefaultproj(3PROJECT), exec_attr(4), project(4),
        service_bundle(4), attributes(5), privileges(5), rbac(5), smf(5),
-       smf_bootstrap(5), zones(5)
+       smf_bootstrap(5), zones(5), security-flags(5)
 
 NOTES
        The present version of smf(5) does not support multiple repositories.
 
 

@@ -383,6 +401,6 @@
        aware.  This can be surprising to developers who expect seteuid(<non-
        zero UID>) to reduce privileges to basic or less.
 
 
 
-                                 May 20, 2009                    SMF_METHOD(5)
+                                 June 6, 2016                    SMF_METHOD(5)