Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 75,84 **** --- 75,85 ---- #include <sys/stat.h> #include <sys/sockio.h> #include <sys/stropts.h> #include <sys/conf.h> #include <sys/systeminfo.h> + #include <sys/secflags.h> #include <libdlpi.h> #include <libdllink.h> #include <libdlvlan.h>
*** 4589,4598 **** --- 4590,4689 ---- return (res); } static int + setup_zone_secflags(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid) + { + psecflags_t secflags; + struct zone_secflagstab tab = {0}; + secflagdelta_t delt; + int res; + + res = zonecfg_lookup_secflags(handle, &tab); + + if ((res != Z_OK) && + /* The general defaulting code will handle this */ + (res != Z_NO_ENTRY) && (res != Z_BAD_PROPERTY)) { + zerror(zlogp, B_FALSE, "security-flags property is " + "invalid: %d", res); + return (res); + } + + if (strlen(tab.zone_secflags_lower) == 0) + (void) strlcpy(tab.zone_secflags_lower, "none", + sizeof (tab.zone_secflags_lower)); + if (strlen(tab.zone_secflags_default) == 0) + (void) strlcpy(tab.zone_secflags_default, + tab.zone_secflags_lower, + sizeof (tab.zone_secflags_default)); + if (strlen(tab.zone_secflags_upper) == 0) + (void) strlcpy(tab.zone_secflags_upper, "all", + sizeof (tab.zone_secflags_upper)); + + if (secflags_parse(NULL, tab.zone_secflags_default, + &delt) == -1) { + zerror(zlogp, B_FALSE, "default security-flags: '%s'" + "are invalid", tab.zone_secflags_default); + return (Z_BAD_PROPERTY); + } else if (delt.psd_ass_active != B_TRUE) { + zerror(zlogp, B_FALSE, "relative security-flags are not " + "allowed in zone configuration (default " + "security-flags: '%s')", + tab.zone_secflags_default); + return (Z_BAD_PROPERTY); + } else { + secflags_copy(&secflags.psf_inherit, &delt.psd_assign); + secflags_copy(&secflags.psf_effective, &delt.psd_assign); + } + + if (secflags_parse(NULL, tab.zone_secflags_lower, + &delt) == -1) { + zerror(zlogp, B_FALSE, "lower security-flags: '%s'" + "are invalid", tab.zone_secflags_lower); + return (Z_BAD_PROPERTY); + } else if (delt.psd_ass_active != B_TRUE) { + zerror(zlogp, B_FALSE, "relative security-flags are not " + "allowed in zone configuration (lower " + "security-flags: '%s')", + tab.zone_secflags_lower); + return (Z_BAD_PROPERTY); + } else { + secflags_copy(&secflags.psf_lower, &delt.psd_assign); + } + + if (secflags_parse(NULL, tab.zone_secflags_upper, + &delt) == -1) { + zerror(zlogp, B_FALSE, "upper security-flags: '%s'" + "are invalid", tab.zone_secflags_upper); + return (Z_BAD_PROPERTY); + } else if (delt.psd_ass_active != B_TRUE) { + zerror(zlogp, B_FALSE, "relative security-flags are not " + "allowed in zone configuration (upper " + "security-flags: '%s')", + tab.zone_secflags_upper); + return (Z_BAD_PROPERTY); + } else { + secflags_copy(&secflags.psf_upper, &delt.psd_assign); + } + + if (!psecflags_validate(&secflags)) { + zerror(zlogp, B_TRUE, "security-flags violate invariants"); + return (Z_BAD_PROPERTY); + } + + if ((res = zone_setattr(zoneid, ZONE_ATTR_SECFLAGS, &secflags, + sizeof (secflags))) != 0) { + zerror(zlogp, B_TRUE, + "security-flags couldn't be set: %d", res); + return (Z_SYSTEM); + } + + return (Z_OK); + } + + static int setup_zone_fs_allowed(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid) { char fsallowed[ZONE_FS_ALLOWED_MAX]; char *fsallowedp = fsallowed; int len = sizeof (fsallowed);
*** 4605,4615 **** (void) strlcpy(fsallowed, DFLT_FS_ALLOWED, len); } else if (res != Z_OK) { report_prop_err(zlogp, "fs-allowed", fsallowed, res); return (res); } else if (fsallowed[0] == '-') { ! /* dropping default privs - use remaining list */ if (fsallowed[1] != ',') return (Z_OK); fsallowedp += 2; len -= 2; } else { --- 4696,4706 ---- (void) strlcpy(fsallowed, DFLT_FS_ALLOWED, len); } else if (res != Z_OK) { report_prop_err(zlogp, "fs-allowed", fsallowed, res); return (res); } else if (fsallowed[0] == '-') { ! /* dropping default filesystems - use remaining list */ if (fsallowed[1] != ',') return (Z_OK); fsallowedp += 2; len -= 2; } else {
*** 4650,4659 **** --- 4741,4753 ---- goto out; if ((res = setup_zone_fs_allowed(handle, zlogp, zoneid)) != Z_OK) goto out; + if ((res = setup_zone_secflags(handle, zlogp, zoneid)) != Z_OK) + goto out; + out: zonecfg_fini_handle(handle); return (res); }