Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


 198         dummycr->cr_suid = (uid_t)-1;
 199         dummycr->cr_sgid = (gid_t)-1;
 200 
 201 
 202         /*
 203          * kcred is used by anything that needs all privileges; it's
 204          * also the template used for crget as it has all the compatible
 205          * sets filled in.
 206          */
 207         kcred = cralloc();
 208 
 209         bzero(kcred, crsize);
 210         kcred->cr_ref = 1;
 211 
 212         /* kcred is never freed, so we don't need zone_cred_hold here */
 213         kcred->cr_zone = &zone0;
 214 
 215         priv_fillset(&CR_LPRIV(kcred));
 216         CR_IPRIV(kcred) = *priv_basic;
 217 


 218         /* Not a basic privilege, if chown is not restricted add it to I0 */
 219         if (!rstchown)
 220                 priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
 221 
 222         /* Basic privilege, if link is restricted remove it from I0 */
 223         if (rstlink)
 224                 priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY);
 225 
 226         CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred);
 227 
 228         CR_FLAGS(kcred) = NET_MAC_AWARE;
 229 
 230         /*
 231          * Set up credentials of p0.
 232          */
 233         ttoproc(curthread)->p_cred = kcred;
 234         curthread->t_cred = kcred;
 235 
 236         ucredsize = UCRED_SIZE;
 237 




 198         dummycr->cr_suid = (uid_t)-1;
 199         dummycr->cr_sgid = (gid_t)-1;
 200 
 201 
 202         /*
 203          * kcred is used by anything that needs all privileges; it's
 204          * also the template used for crget as it has all the compatible
 205          * sets filled in.
 206          */
 207         kcred = cralloc();
 208 
 209         bzero(kcred, crsize);
 210         kcred->cr_ref = 1;
 211 
 212         /* kcred is never freed, so we don't need zone_cred_hold here */
 213         kcred->cr_zone = &zone0;
 214 
 215         priv_fillset(&CR_LPRIV(kcred));
 216         CR_IPRIV(kcred) = *priv_basic;
 217 
 218         priv_addset(&CR_IPRIV(kcred), PRIV_PROC_SECFLAGS);
 219 
 220         /* Not a basic privilege, if chown is not restricted add it to I0 */
 221         if (!rstchown)
 222                 priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
 223 
 224         /* Basic privilege, if link is restricted remove it from I0 */
 225         if (rstlink)
 226                 priv_delset(&CR_IPRIV(kcred), PRIV_FILE_LINK_ANY);
 227 
 228         CR_EPRIV(kcred) = CR_PPRIV(kcred) = CR_IPRIV(kcred);
 229 
 230         CR_FLAGS(kcred) = NET_MAC_AWARE;
 231 
 232         /*
 233          * Set up credentials of p0.
 234          */
 235         ttoproc(curthread)->p_cred = kcred;
 236         curthread->t_cred = kcred;
 237 
 238         ucredsize = UCRED_SIZE;
 239