Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -75,10 +75,11 @@
 #include <sys/stat.h>
 #include <sys/sockio.h>
 #include <sys/stropts.h>
 #include <sys/conf.h>
 #include <sys/systeminfo.h>
+#include <sys/secflags.h>
 
 #include <libdlpi.h>
 #include <libdllink.h>
 #include <libdlvlan.h>
 

@@ -4589,10 +4590,100 @@
 
         return (res);
 }
 
 static int
+setup_zone_secflags(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid)
+{
+        psecflags_t secflags;
+        struct zone_secflagstab tab = {0};
+        secflagdelta_t delt;
+        int res;
+
+        res = zonecfg_lookup_secflags(handle, &tab);
+
+        if ((res != Z_OK) &&
+            /* The general defaulting code will handle this */
+            (res != Z_NO_ENTRY) && (res != Z_BAD_PROPERTY)) {
+                zerror(zlogp, B_FALSE, "security-flags property is "
+                    "invalid: %d", res);
+                return (res);
+        }
+
+        if (strlen(tab.zone_secflags_lower) == 0)
+                (void) strlcpy(tab.zone_secflags_lower, "none",
+                    sizeof (tab.zone_secflags_lower));
+        if (strlen(tab.zone_secflags_default) == 0)
+                (void) strlcpy(tab.zone_secflags_default,
+                    tab.zone_secflags_lower,
+                    sizeof (tab.zone_secflags_default));
+        if (strlen(tab.zone_secflags_upper) == 0)
+                (void) strlcpy(tab.zone_secflags_upper, "all",
+                    sizeof (tab.zone_secflags_upper));
+
+        if (secflags_parse(NULL, tab.zone_secflags_default,
+            &delt) == -1) {
+                zerror(zlogp, B_FALSE, "default security-flags: '%s'"
+                    "are invalid", tab.zone_secflags_default);
+                return (Z_BAD_PROPERTY);
+        } else if (delt.psd_ass_active != B_TRUE) {
+                zerror(zlogp, B_FALSE, "relative security-flags are not "
+                    "allowed in zone configuration (default "
+                    "security-flags: '%s')",
+                    tab.zone_secflags_default);
+                return (Z_BAD_PROPERTY);
+        } else {
+                secflags_copy(&secflags.psf_inherit, &delt.psd_assign);
+                secflags_copy(&secflags.psf_effective, &delt.psd_assign);
+        }
+
+        if (secflags_parse(NULL, tab.zone_secflags_lower,
+            &delt) == -1) {
+                zerror(zlogp, B_FALSE, "lower security-flags: '%s'"
+                    "are invalid", tab.zone_secflags_lower);
+                return (Z_BAD_PROPERTY);
+        } else if (delt.psd_ass_active != B_TRUE) {
+                zerror(zlogp, B_FALSE, "relative security-flags are not "
+                    "allowed in zone configuration (lower "
+                    "security-flags: '%s')",
+                    tab.zone_secflags_lower);
+                return (Z_BAD_PROPERTY);
+        } else {
+                secflags_copy(&secflags.psf_lower, &delt.psd_assign);
+        }
+
+        if (secflags_parse(NULL, tab.zone_secflags_upper,
+            &delt) == -1) {
+                zerror(zlogp, B_FALSE, "upper security-flags: '%s'"
+                    "are invalid", tab.zone_secflags_upper);
+                return (Z_BAD_PROPERTY);
+        } else if (delt.psd_ass_active != B_TRUE) {
+                zerror(zlogp, B_FALSE, "relative security-flags are not "
+                    "allowed in zone configuration (upper "
+                    "security-flags: '%s')",
+                    tab.zone_secflags_upper);
+                return (Z_BAD_PROPERTY);
+        } else {
+                secflags_copy(&secflags.psf_upper, &delt.psd_assign);
+        }
+
+        if (!psecflags_validate(&secflags)) {
+                zerror(zlogp, B_TRUE, "security-flags violate invariants");
+                return (Z_BAD_PROPERTY);
+        }
+
+        if ((res = zone_setattr(zoneid, ZONE_ATTR_SECFLAGS, &secflags,
+            sizeof (secflags))) != 0) {
+                zerror(zlogp, B_TRUE,
+                    "security-flags couldn't be set: %d", res);
+                return (Z_SYSTEM);
+        }
+
+        return (Z_OK);
+}
+
+static int
 setup_zone_fs_allowed(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid)
 {
         char fsallowed[ZONE_FS_ALLOWED_MAX];
         char *fsallowedp = fsallowed;
         int len = sizeof (fsallowed);

@@ -4605,11 +4696,11 @@
                 (void) strlcpy(fsallowed, DFLT_FS_ALLOWED, len);
         } else if (res != Z_OK) {
                 report_prop_err(zlogp, "fs-allowed", fsallowed, res);
                 return (res);
         } else if (fsallowed[0] == '-') {
-                /* dropping default privs - use remaining list */
+                /* dropping default filesystems - use remaining list */
                 if (fsallowed[1] != ',')
                         return (Z_OK);
                 fsallowedp += 2;
                 len -= 2;
         } else {

@@ -4650,10 +4741,13 @@
                 goto out;
 
         if ((res = setup_zone_fs_allowed(handle, zlogp, zoneid)) != Z_OK)
                 goto out;
 
+        if ((res = setup_zone_secflags(handle, zlogp, zoneid)) != Z_OK)
+                goto out;
+
 out:
         zonecfg_fini_handle(handle);
         return (res);
 }