il_7029-3 Sdiff usr/src/lib/brand/sn1/zone/config.xml

Print this page

7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

  58         <privilege set="default" name="file_dac_execute" />
  59         <privilege set="default" name="file_dac_read" />
  60         <privilege set="default" name="file_dac_search" />
  61         <privilege set="default" name="file_dac_write" />
  62         <privilege set="default" name="file_owner" />
  63         <privilege set="default" name="file_setid" />
  64         <privilege set="default" name="ipc_dac_read" />
  65         <privilege set="default" name="ipc_dac_write" />
  66         <privilege set="default" name="ipc_owner" />
  67         <privilege set="default" name="net_bindmlp" />
  68         <privilege set="default" name="net_icmpaccess" />
  69         <privilege set="default" name="net_mac_aware" />
  70         <privilege set="default" name="net_observability" />
  71         <privilege set="default" name="net_privaddr" />
  72         <privilege set="default" name="net_rawaccess" ip-type="exclusive" />
  73         <privilege set="default" name="proc_chroot" />
  74         <privilege set="default" name="sys_audit" />
  75         <privilege set="default" name="proc_audit" />
  76         <privilege set="default" name="proc_lock_memory" />
  77         <privilege set="default" name="proc_owner" />

  78         <privilege set="default" name="proc_setid" />
  79         <privilege set="default" name="proc_taskid" />
  80         <privilege set="default" name="sys_acct" />
  81         <privilege set="default" name="sys_admin" />
  82         <privilege set="default" name="sys_ip_config" ip-type="exclusive" />
  83         <privilege set="default" name="sys_iptun_config" ip-type="exclusive" />
  84         <privilege set="default" name="sys_mount" />
  85         <privilege set="default" name="sys_nfs" />
  86         <privilege set="default" name="sys_resource" />
  87         <privilege set="default" name="sys_ppp_config" ip-type="exclusive" />
  88 
  89         <privilege set="prohibited" name="dtrace_kernel" />
  90         <privilege set="prohibited" name="proc_zone" />
  91         <privilege set="prohibited" name="sys_config" />
  92         <privilege set="prohibited" name="sys_devices" />
  93         <privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
  94         <privilege set="prohibited" name="sys_linkdir" />
  95         <privilege set="prohibited" name="sys_net_config" />
  96         <privilege set="prohibited" name="sys_res_config" />
  97         <privilege set="prohibited" name="sys_suser_compat" />

  58         <privilege set="default" name="file_dac_execute" />
  59         <privilege set="default" name="file_dac_read" />
  60         <privilege set="default" name="file_dac_search" />
  61         <privilege set="default" name="file_dac_write" />
  62         <privilege set="default" name="file_owner" />
  63         <privilege set="default" name="file_setid" />
  64         <privilege set="default" name="ipc_dac_read" />
  65         <privilege set="default" name="ipc_dac_write" />
  66         <privilege set="default" name="ipc_owner" />
  67         <privilege set="default" name="net_bindmlp" />
  68         <privilege set="default" name="net_icmpaccess" />
  69         <privilege set="default" name="net_mac_aware" />
  70         <privilege set="default" name="net_observability" />
  71         <privilege set="default" name="net_privaddr" />
  72         <privilege set="default" name="net_rawaccess" ip-type="exclusive" />
  73         <privilege set="default" name="proc_chroot" />
  74         <privilege set="default" name="sys_audit" />
  75         <privilege set="default" name="proc_audit" />
  76         <privilege set="default" name="proc_lock_memory" />
  77         <privilege set="default" name="proc_owner" />
  78         <privilege set="default" name="proc_secflags" />
  79         <privilege set="default" name="proc_setid" />
  80         <privilege set="default" name="proc_taskid" />
  81         <privilege set="default" name="sys_acct" />
  82         <privilege set="default" name="sys_admin" />
  83         <privilege set="default" name="sys_ip_config" ip-type="exclusive" />
  84         <privilege set="default" name="sys_iptun_config" ip-type="exclusive" />
  85         <privilege set="default" name="sys_mount" />
  86         <privilege set="default" name="sys_nfs" />
  87         <privilege set="default" name="sys_resource" />
  88         <privilege set="default" name="sys_ppp_config" ip-type="exclusive" />
  89 
  90         <privilege set="prohibited" name="dtrace_kernel" />
  91         <privilege set="prohibited" name="proc_zone" />
  92         <privilege set="prohibited" name="sys_config" />
  93         <privilege set="prohibited" name="sys_devices" />
  94         <privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
  95         <privilege set="prohibited" name="sys_linkdir" />
  96         <privilege set="prohibited" name="sys_net_config" />
  97         <privilege set="prohibited" name="sys_res_config" />
  98         <privilege set="prohibited" name="sys_suser_compat" />