Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -95,10 +95,11 @@
 #define DTD_ELEM_MCAP           (const xmlChar *) "mcap"
 #define DTD_ELEM_PACKAGE        (const xmlChar *) "package"
 #define DTD_ELEM_OBSOLETES      (const xmlChar *) "obsoletes"
 #define DTD_ELEM_DEV_PERM       (const xmlChar *) "dev-perm"
 #define DTD_ELEM_ADMIN          (const xmlChar *) "admin"
+#define DTD_ELEM_SECFLAGS       (const xmlChar *) "security-flags"
 
 #define DTD_ATTR_ACTION         (const xmlChar *) "action"
 #define DTD_ATTR_ADDRESS        (const xmlChar *) "address"
 #define DTD_ATTR_ALLOWED_ADDRESS        (const xmlChar *) "allowed-address"
 #define DTD_ATTR_AUTOBOOT       (const xmlChar *) "autoboot"

@@ -132,10 +133,14 @@
 #define DTD_ATTR_BRAND          (const xmlChar *) "brand"
 #define DTD_ATTR_HOSTID         (const xmlChar *) "hostid"
 #define DTD_ATTR_USER           (const xmlChar *) "user"
 #define DTD_ATTR_AUTHS          (const xmlChar *) "auths"
 #define DTD_ATTR_FS_ALLOWED     (const xmlChar *) "fs-allowed"
+#define DTD_ATTR_DEFAULT        (const xmlChar *) "default"
+#define DTD_ATTR_LOWER          (const xmlChar *) "lower"
+#define DTD_ATTR_UPPER          (const xmlChar *) "upper"
+
 
 #define DTD_ENTITY_BOOLEAN      "boolean"
 #define DTD_ENTITY_DEVPATH      "devpath"
 #define DTD_ENTITY_DRIVER       "driver"
 #define DTD_ENTITY_DRVMIN       "drv_min"

@@ -2633,10 +2638,11 @@
             zonename)) != Z_OK)
                 return (err);
 
         return (Z_OK);
 }
+
 static int
 zonecfg_delete_auth_core(zone_dochandle_t handle, struct zone_admintab *tabptr,
     char *zonename)
 {
         xmlNodePtr cur = handle->zone_dh_cur;

@@ -2745,10 +2751,163 @@
                 return (err);
 
         return (Z_OK);
 }
 
+static int
+zonecfg_add_secflags_core(zone_dochandle_t handle,
+    struct zone_secflagstab *tabptr)
+{
+        xmlNodePtr newnode, cur = handle->zone_dh_cur;
+        int err;
+
+        newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_SECFLAGS, NULL);
+        err = newprop(newnode, DTD_ATTR_DEFAULT, tabptr->zone_secflags_default);
+        if (err != Z_OK)
+                return (err);
+        err = newprop(newnode, DTD_ATTR_LOWER, tabptr->zone_secflags_lower);
+        if (err != Z_OK)
+                return (err);
+        err = newprop(newnode, DTD_ATTR_UPPER, tabptr->zone_secflags_upper);
+        if (err != Z_OK)
+                return (err);
+
+        return (Z_OK);
+}
+
+int
+zonecfg_add_secflags(zone_dochandle_t handle, struct zone_secflagstab *tabptr)
+{
+        int err;
+
+
+        if (tabptr == NULL)
+                return (Z_INVAL);
+
+        if ((err = operation_prep(handle)) != Z_OK)
+                return (err);
+
+        if ((err = zonecfg_add_secflags_core(handle, tabptr)) != Z_OK)
+                return (err);
+
+        return (Z_OK);
+}
+
+static int
+zonecfg_delete_secflags_core(zone_dochandle_t handle,
+    struct zone_secflagstab *tabptr)
+{
+        xmlNodePtr cur = handle->zone_dh_cur;
+        boolean_t def_match, low_match, up_match;
+
+        for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
+                if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) != 0)
+                        continue;
+
+                def_match = match_prop(cur, DTD_ATTR_DEFAULT,
+                    tabptr->zone_secflags_default);
+                low_match = match_prop(cur, DTD_ATTR_LOWER,
+                    tabptr->zone_secflags_lower);
+                up_match = match_prop(cur, DTD_ATTR_UPPER,
+                    tabptr->zone_secflags_upper);
+
+                if (def_match && low_match && up_match) {
+                        xmlUnlinkNode(cur);
+                        xmlFreeNode(cur);
+                        return (Z_OK);
+                }
+
+        }
+        return (Z_NO_RESOURCE_ID);
+}
+
+int
+zonecfg_delete_secflags(zone_dochandle_t handle,
+    struct zone_secflagstab *tabptr)
+{
+        int err;
+
+        if (tabptr == NULL)
+                return (Z_INVAL);
+
+        if ((err = operation_prep(handle)) != Z_OK)
+                return (err);
+
+        if ((err = zonecfg_delete_secflags_core(handle, tabptr)) != Z_OK)
+                return (err);
+
+        return (Z_OK);
+}
+
+int
+zonecfg_modify_secflags(zone_dochandle_t handle,
+    struct zone_secflagstab *oldtabptr,
+    struct zone_secflagstab *newtabptr)
+{
+        int err;
+
+        if (oldtabptr == NULL || newtabptr == NULL)
+                return (Z_INVAL);
+
+        if ((err = operation_prep(handle)) != Z_OK)
+                return (err);
+
+        if ((err = zonecfg_delete_secflags_core(handle, oldtabptr))
+            != Z_OK)
+                return (err);
+
+        if ((err = zonecfg_add_secflags_core(handle, newtabptr)) != Z_OK)
+                return (err);
+
+        return (Z_OK);
+}
+
+int
+zonecfg_lookup_secflags(zone_dochandle_t handle,
+    struct zone_secflagstab *tabptr)
+{
+        xmlNodePtr cur;
+        int err;
+
+        if (tabptr == NULL)
+                return (Z_INVAL);
+
+        if ((err = operation_prep(handle)) != Z_OK)
+                return (err);
+
+        cur = handle->zone_dh_cur;
+
+        for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
+                if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) != 0)
+                        continue;
+
+                if ((err = fetchprop(cur, DTD_ATTR_DEFAULT,
+                    tabptr->zone_secflags_default,
+                    sizeof (tabptr->zone_secflags_default))) != Z_OK) {
+                        handle->zone_dh_cur = handle->zone_dh_top;
+                        return (err);
+                }
+
+                if ((err = fetchprop(cur, DTD_ATTR_LOWER,
+                    tabptr->zone_secflags_lower,
+                    sizeof (tabptr->zone_secflags_lower))) != Z_OK) {
+                        handle->zone_dh_cur = handle->zone_dh_top;
+                        return (err);
+                }
+
+                if ((err = fetchprop(cur, DTD_ATTR_UPPER,
+                    tabptr->zone_secflags_upper,
+                    sizeof (tabptr->zone_secflags_upper))) != Z_OK) {
+                        handle->zone_dh_cur = handle->zone_dh_top;
+                        return (err);
+                }
+
+                return (Z_OK);
+        }
+
+        return (Z_NO_ENTRY);
+}
 
 /* Lock to serialize all devwalks */
 static pthread_mutex_t zonecfg_devwalk_lock = PTHREAD_MUTEX_INITIALIZER;
 /*
  * Global variables used to pass data from zonecfg_dev_manifest to the nftw

@@ -2928,11 +3087,12 @@
  * If the callback function returns non-zero zonecfg_find_mounts
  * aborts with an error.
  */
 int
 zonecfg_find_mounts(char *rootpath, int (*callback)(const struct mnttab *,
-    void *), void *priv) {
+    void *), void *priv)
+{
         FILE *mnttab;
         struct mnttab m;
         size_t l;
         int zfsl;
         int rv = 0;

@@ -6919,10 +7079,65 @@
         }
 
         return (Z_NO_ENTRY);
 }
 
+int
+zonecfg_getsecflagsent(zone_dochandle_t handle,
+    struct zone_secflagstab *tabptr)
+{
+        int err;
+        xmlNodePtr cur;
+
+        if (handle == NULL)
+                return (Z_INVAL);
+
+        if ((err = zonecfg_setent(handle)) != Z_OK)
+                return (err);
+
+
+        if ((cur = handle->zone_dh_cur) == NULL)
+                return (Z_NO_ENTRY);
+
+        for (; cur != NULL; cur = cur->next) {
+                if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) == 0)
+                        break;
+        }
+
+        if (cur == NULL) {
+                handle->zone_dh_cur = handle->zone_dh_top;
+                return (Z_NO_ENTRY);
+        }
+
+        if ((err = fetchprop(cur, DTD_ATTR_DEFAULT,
+            tabptr->zone_secflags_default,
+            sizeof (tabptr->zone_secflags_default))) != Z_OK) {
+                handle->zone_dh_cur = handle->zone_dh_top;
+                return (err);
+        }
+
+        if ((err = fetchprop(cur, DTD_ATTR_LOWER,
+            tabptr->zone_secflags_lower,
+            sizeof (tabptr->zone_secflags_lower))) != Z_OK) {
+                handle->zone_dh_cur = handle->zone_dh_top;
+                return (err);
+        }
+
+        if ((err = fetchprop(cur, DTD_ATTR_UPPER,
+            tabptr->zone_secflags_upper,
+            sizeof (tabptr->zone_secflags_upper))) != Z_OK) {
+                handle->zone_dh_cur = handle->zone_dh_top;
+                return (err);
+        }
+
+        handle->zone_dh_cur = cur->next;
+
+        (void) zonecfg_endent(handle);
+
+        return (err);
+}
+
 static int
 getmcapent_core(zone_dochandle_t handle, struct zone_mcaptab *tabptr)
 {
         xmlNodePtr cur;
         int err;