Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 38,47 **** --- 38,48 ---- #include <sys/cred.h> #include <sys/netstack.h> #include <sys/uadmin.h> #include <sys/ksynch.h> #include <sys/socket_impl.h> + #include <sys/secflags.h> #include <netinet/in.h> #ifdef __cplusplus extern "C" { #endif
*** 102,111 **** --- 103,113 ---- #define ZONE_ATTR_FLAGS 14 #define ZONE_ATTR_HOSTID 15 #define ZONE_ATTR_FS_ALLOWED 16 #define ZONE_ATTR_NETWORK 17 #define ZONE_ATTR_INITNORESTART 20 + #define ZONE_ATTR_SECFLAGS 21 /* Start of the brand-specific attribute namespace */ #define ZONE_ATTR_BRAND_ATTRS 32768 #define ZONE_FS_ALLOWED_MAX 1024
*** 576,585 **** --- 578,589 ---- uint64_t zone_anonpgin; /* anon pages paged in */ uint64_t zone_execpgin; /* exec pages paged in */ uint64_t zone_fspgin; /* fs pages paged in */ uint64_t zone_anon_alloc_fail; /* cnt of anon alloc fails */ + psecflags_t zone_secflags; /* default zone security-flags */ + /* * Misc. kstats and counters for zone cpu-usage aggregation. * The zone_Xtime values are the sum of the micro-state accounting * values for all threads that are running or have run in the zone. * This is tracked in msacct.c as threads change state.