Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 51,60 **** --- 51,61 ---- #include <stdlib.h> #include <string.h> #include <syslog.h> #include <sys/corectl.h> #include <sys/machelf.h> + #include <sys/secflags.h> #include <sys/task.h> #include <sys/types.h> #include <time.h> #include <unistd.h> #include <ucontext.h>
*** 2841,2851 **** if ((instpg = scf_pg_create(h)) == NULL || (methpg = scf_pg_create(h)) == NULL || (prop = scf_property_create(h)) == NULL || (val = scf_value_create(h)) == NULL) { err = mc_error_create(err, scf_error(), ! "Failed to create repository object: %s\n", scf_strerror(scf_error())); goto out; } /* --- 2842,2852 ---- if ((instpg = scf_pg_create(h)) == NULL || (methpg = scf_pg_create(h)) == NULL || (prop = scf_property_create(h)) == NULL || (val = scf_value_create(h)) == NULL) { err = mc_error_create(err, scf_error(), ! "Failed to create repository object: %s", scf_strerror(scf_error())); goto out; } /*
*** 2893,2903 **** case EINVAL: err = mc_error_create(err, ret, "Invalid method environment."); goto out; default: err = mc_error_create(err, ret, ! "Get method environment failed : %s\n", scf_strerror(ret)); goto out; } pg = methpg; --- 2894,2904 ---- case EINVAL: err = mc_error_create(err, ret, "Invalid method environment."); goto out; default: err = mc_error_create(err, ret, ! "Get method environment failed: %s", scf_strerror(ret)); goto out; } pg = methpg;
*** 3101,3110 **** --- 3102,3194 ---- err = mc_error_create(err, ENOMEM, ALLOCFAIL); goto out; } } + /* get security flags */ + if ((methpg != NULL && scf_pg_get_property(methpg, + SCF_PROPERTY_SECFLAGS, prop) == SCF_SUCCESS) || + (instpg != NULL && scf_pg_get_property(instpg, + SCF_PROPERTY_SECFLAGS, prop) == SCF_SUCCESS)) { + if (scf_property_get_value(prop, val) != SCF_SUCCESS) { + ret = scf_error(); + switch (ret) { + case SCF_ERROR_CONNECTION_BROKEN: + err = mc_error_create(err, ret, RCBROKEN); + break; + + case SCF_ERROR_CONSTRAINT_VIOLATED: + err = mc_error_create(err, ret, + "\"%s\" property has multiple values.", + SCF_PROPERTY_SECFLAGS); + break; + + case SCF_ERROR_NOT_FOUND: + err = mc_error_create(err, ret, + "\"%s\" property has no values.", + SCF_PROPERTY_SECFLAGS); + break; + + default: + bad_fail("scf_property_get_value", ret); + } + + (void) strlcpy(cip->vbuf, ":default", cip->vbuf_sz); + } else { + ret = scf_value_get_astring(val, cip->vbuf, + cip->vbuf_sz); + assert(ret != -1); + } + mc_used++; + } else { + ret = scf_error(); + switch (ret) { + case SCF_ERROR_NOT_FOUND: + /* okay if missing. */ + (void) strlcpy(cip->vbuf, ":default", cip->vbuf_sz); + break; + + case SCF_ERROR_CONNECTION_BROKEN: + err = mc_error_create(err, ret, RCBROKEN); + goto out; + + case SCF_ERROR_DELETED: + err = mc_error_create(err, ret, + "Property group could not be found"); + goto out; + + case SCF_ERROR_HANDLE_MISMATCH: + case SCF_ERROR_INVALID_ARGUMENT: + case SCF_ERROR_NOT_SET: + default: + bad_fail("scf_pg_get_property", ret); + } + } + + + if (scf_default_secflags(h, &cip->def_secflags) != 0) { + err = mc_error_create(err, EINVAL, "couldn't fetch " + "default security-flags"); + goto out; + } + + if (strcmp(cip->vbuf, ":default") == 0) { + if (secflags_parse(&cip->def_secflags.psf_inherit, "default", + &cip->secflag_delta) != 0) { + err = mc_error_create(err, EINVAL, "couldn't parse " + "security flags: %s", cip->vbuf); + goto out; + } + } else { + if (secflags_parse(&cip->def_secflags.psf_inherit, cip->vbuf, + &cip->secflag_delta) != 0) { + err = mc_error_create(err, EINVAL, "couldn't parse " + "security flags: %s", cip->vbuf); + goto out; + } + } + /* get (optional) corefile pattern */ if ((methpg != NULL && scf_pg_get_property(methpg, SCF_PROPERTY_COREFILE_PATTERN, prop) == SCF_SUCCESS) || (instpg != NULL && scf_pg_get_property(instpg, SCF_PROPERTY_COREFILE_PATTERN, prop) == SCF_SUCCESS)) {
*** 3341,3350 **** --- 3425,3447 ---- (void) memset(cip, 0, sizeof (*cip)); cip->uid = 0; cip->gid = 0; cip->euid = (uid_t)-1; cip->egid = (gid_t)-1; + + if (scf_default_secflags(h, &cip->def_secflags) != 0) { + err = mc_error_create(err, EINVAL, "couldn't fetch " + "default security-flags"); + goto out; + } + + if (secflags_parse(&cip->def_secflags.psf_inherit, "default", + &cip->secflag_delta) != 0) { + err = mc_error_create(err, EINVAL, "couldn't parse " + "security flags: %s", cip->vbuf); + goto out; + } } *mcpp = cip; out:
*** 3413,3422 **** --- 3510,3520 ---- int restarter_set_method_context(struct method_context *cip, const char **fp) { pid_t mypid = -1; int r, ret; + secflagdelta_t delta = {0}; cip->pwbuf = NULL; *fp = NULL; if (cip->gid != (gid_t)-1) {
*** 3508,3517 **** --- 3606,3648 ---- ret = -1; goto out; } } + + delta.psd_ass_active = B_TRUE; + secflags_copy(&delta.psd_assign, &cip->def_secflags.psf_inherit); + if (psecflags(P_PID, P_MYID, PSF_INHERIT, + &delta) != 0) { + *fp = "psecflags (inherit defaults)"; + ret = errno; + goto out; + } + + if (psecflags(P_PID, P_MYID, PSF_INHERIT, + &cip->secflag_delta) != 0) { + *fp = "psecflags (inherit)"; + ret = errno; + goto out; + } + + secflags_copy(&delta.psd_assign, &cip->def_secflags.psf_lower); + if (psecflags(P_PID, P_MYID, PSF_LOWER, + &delta) != 0) { + *fp = "psecflags (lower)"; + ret = errno; + goto out; + } + + secflags_copy(&delta.psd_assign, &cip->def_secflags.psf_upper); + if (psecflags(P_PID, P_MYID, PSF_UPPER, + &delta) != 0) { + *fp = "psecflags (upper)"; + ret = errno; + goto out; + } + if (restarter_rm_libs_loadable()) { if (cip->project == NULL) { if (settaskid(getprojid(), TASK_NORMAL) == -1) { switch (errno) { case EACCES: