il_7029-4 Cdiff usr/src/lib/libzonecfg/common/libzonecfg.c

Print this page

7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


*** 95,104 ****
--- 95,105 ----
  #define DTD_ELEM_MCAP           (const xmlChar *) "mcap"
  #define DTD_ELEM_PACKAGE        (const xmlChar *) "package"
  #define DTD_ELEM_OBSOLETES      (const xmlChar *) "obsoletes"
  #define DTD_ELEM_DEV_PERM       (const xmlChar *) "dev-perm"
  #define DTD_ELEM_ADMIN          (const xmlChar *) "admin"
+ #define DTD_ELEM_SECFLAGS       (const xmlChar *) "security-flags"
  
  #define DTD_ATTR_ACTION         (const xmlChar *) "action"
  #define DTD_ATTR_ADDRESS        (const xmlChar *) "address"
  #define DTD_ATTR_ALLOWED_ADDRESS        (const xmlChar *) "allowed-address"
  #define DTD_ATTR_AUTOBOOT       (const xmlChar *) "autoboot"
*** 132,141 ****
--- 133,146 ----
  #define DTD_ATTR_BRAND          (const xmlChar *) "brand"
  #define DTD_ATTR_HOSTID         (const xmlChar *) "hostid"
  #define DTD_ATTR_USER           (const xmlChar *) "user"
  #define DTD_ATTR_AUTHS          (const xmlChar *) "auths"
  #define DTD_ATTR_FS_ALLOWED     (const xmlChar *) "fs-allowed"
+ #define DTD_ATTR_DEFAULT        (const xmlChar *) "default"
+ #define DTD_ATTR_LOWER          (const xmlChar *) "lower"
+ #define DTD_ATTR_UPPER          (const xmlChar *) "upper"
+ 
  
  #define DTD_ENTITY_BOOLEAN      "boolean"
  #define DTD_ENTITY_DEVPATH      "devpath"
  #define DTD_ENTITY_DRIVER       "driver"
  #define DTD_ENTITY_DRVMIN       "drv_min"
*** 2633,2642 ****
--- 2638,2648 ----
              zonename)) != Z_OK)
                  return (err);
  
          return (Z_OK);
  }
+ 
  static int
  zonecfg_delete_auth_core(zone_dochandle_t handle, struct zone_admintab *tabptr,
      char *zonename)
  {
          xmlNodePtr cur = handle->zone_dh_cur;
*** 2745,2754 ****
--- 2751,2913 ----
                  return (err);
  
          return (Z_OK);
  }
  
+ static int
+ zonecfg_add_secflags_core(zone_dochandle_t handle,
+     struct zone_secflagstab *tabptr)
+ {
+         xmlNodePtr newnode, cur = handle->zone_dh_cur;
+         int err;
+ 
+         newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_SECFLAGS, NULL);
+         err = newprop(newnode, DTD_ATTR_DEFAULT, tabptr->zone_secflags_default);
+         if (err != Z_OK)
+                 return (err);
+         err = newprop(newnode, DTD_ATTR_LOWER, tabptr->zone_secflags_lower);
+         if (err != Z_OK)
+                 return (err);
+         err = newprop(newnode, DTD_ATTR_UPPER, tabptr->zone_secflags_upper);
+         if (err != Z_OK)
+                 return (err);
+ 
+         return (Z_OK);
+ }
+ 
+ int
+ zonecfg_add_secflags(zone_dochandle_t handle, struct zone_secflagstab *tabptr)
+ {
+         int err;
+ 
+ 
+         if (tabptr == NULL)
+                 return (Z_INVAL);
+ 
+         if ((err = operation_prep(handle)) != Z_OK)
+                 return (err);
+ 
+         if ((err = zonecfg_add_secflags_core(handle, tabptr)) != Z_OK)
+                 return (err);
+ 
+         return (Z_OK);
+ }
+ 
+ static int
+ zonecfg_delete_secflags_core(zone_dochandle_t handle,
+     struct zone_secflagstab *tabptr)
+ {
+         xmlNodePtr cur = handle->zone_dh_cur;
+         boolean_t def_match, low_match, up_match;
+ 
+         for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
+                 if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) != 0)
+                         continue;
+ 
+                 def_match = match_prop(cur, DTD_ATTR_DEFAULT,
+                     tabptr->zone_secflags_default);
+                 low_match = match_prop(cur, DTD_ATTR_LOWER,
+                     tabptr->zone_secflags_lower);
+                 up_match = match_prop(cur, DTD_ATTR_UPPER,
+                     tabptr->zone_secflags_upper);
+ 
+                 if (def_match && low_match && up_match) {
+                         xmlUnlinkNode(cur);
+                         xmlFreeNode(cur);
+                         return (Z_OK);
+                 }
+ 
+         }
+         return (Z_NO_RESOURCE_ID);
+ }
+ 
+ int
+ zonecfg_delete_secflags(zone_dochandle_t handle,
+     struct zone_secflagstab *tabptr)
+ {
+         int err;
+ 
+         if (tabptr == NULL)
+                 return (Z_INVAL);
+ 
+         if ((err = operation_prep(handle)) != Z_OK)
+                 return (err);
+ 
+         if ((err = zonecfg_delete_secflags_core(handle, tabptr)) != Z_OK)
+                 return (err);
+ 
+         return (Z_OK);
+ }
+ 
+ int
+ zonecfg_modify_secflags(zone_dochandle_t handle,
+     struct zone_secflagstab *oldtabptr,
+     struct zone_secflagstab *newtabptr)
+ {
+         int err;
+ 
+         if (oldtabptr == NULL || newtabptr == NULL)
+                 return (Z_INVAL);
+ 
+         if ((err = operation_prep(handle)) != Z_OK)
+                 return (err);
+ 
+         if ((err = zonecfg_delete_secflags_core(handle, oldtabptr))
+             != Z_OK)
+                 return (err);
+ 
+         if ((err = zonecfg_add_secflags_core(handle, newtabptr)) != Z_OK)
+                 return (err);
+ 
+         return (Z_OK);
+ }
+ 
+ int
+ zonecfg_lookup_secflags(zone_dochandle_t handle,
+     struct zone_secflagstab *tabptr)
+ {
+         xmlNodePtr cur;
+         int err;
+ 
+         if (tabptr == NULL)
+                 return (Z_INVAL);
+ 
+         if ((err = operation_prep(handle)) != Z_OK)
+                 return (err);
+ 
+         cur = handle->zone_dh_cur;
+ 
+         for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
+                 if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) != 0)
+                         continue;
+ 
+                 if ((err = fetchprop(cur, DTD_ATTR_DEFAULT,
+                     tabptr->zone_secflags_default,
+                     sizeof (tabptr->zone_secflags_default))) != Z_OK) {
+                         handle->zone_dh_cur = handle->zone_dh_top;
+                         return (err);
+                 }
+ 
+                 if ((err = fetchprop(cur, DTD_ATTR_LOWER,
+                     tabptr->zone_secflags_lower,
+                     sizeof (tabptr->zone_secflags_lower))) != Z_OK) {
+                         handle->zone_dh_cur = handle->zone_dh_top;
+                         return (err);
+                 }
+ 
+                 if ((err = fetchprop(cur, DTD_ATTR_UPPER,
+                     tabptr->zone_secflags_upper,
+                     sizeof (tabptr->zone_secflags_upper))) != Z_OK) {
+                         handle->zone_dh_cur = handle->zone_dh_top;
+                         return (err);
+                 }
+ 
+                 return (Z_OK);
+         }
+ 
+         return (Z_NO_ENTRY);
+ }
  
  /* Lock to serialize all devwalks */
  static pthread_mutex_t zonecfg_devwalk_lock = PTHREAD_MUTEX_INITIALIZER;
  /*
   * Global variables used to pass data from zonecfg_dev_manifest to the nftw
*** 2928,2938 ****
   * If the callback function returns non-zero zonecfg_find_mounts
   * aborts with an error.
   */
  int
  zonecfg_find_mounts(char *rootpath, int (*callback)(const struct mnttab *,
!     void *), void *priv) {
          FILE *mnttab;
          struct mnttab m;
          size_t l;
          int zfsl;
          int rv = 0;
--- 3087,3098 ----
   * If the callback function returns non-zero zonecfg_find_mounts
   * aborts with an error.
   */
  int
  zonecfg_find_mounts(char *rootpath, int (*callback)(const struct mnttab *,
!     void *), void *priv)
! {
          FILE *mnttab;
          struct mnttab m;
          size_t l;
          int zfsl;
          int rv = 0;
*** 6919,6928 ****
--- 7079,7143 ----
          }
  
          return (Z_NO_ENTRY);
  }
  
+ int
+ zonecfg_getsecflagsent(zone_dochandle_t handle,
+     struct zone_secflagstab *tabptr)
+ {
+         int err;
+         xmlNodePtr cur;
+ 
+         if (handle == NULL)
+                 return (Z_INVAL);
+ 
+         if ((err = zonecfg_setent(handle)) != Z_OK)
+                 return (err);
+ 
+ 
+         if ((cur = handle->zone_dh_cur) == NULL)
+                 return (Z_NO_ENTRY);
+ 
+         for (; cur != NULL; cur = cur->next) {
+                 if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) == 0)
+                         break;
+         }
+ 
+         if (cur == NULL) {
+                 handle->zone_dh_cur = handle->zone_dh_top;
+                 return (Z_NO_ENTRY);
+         }
+ 
+         if ((err = fetchprop(cur, DTD_ATTR_DEFAULT,
+             tabptr->zone_secflags_default,
+             sizeof (tabptr->zone_secflags_default))) != Z_OK) {
+                 handle->zone_dh_cur = handle->zone_dh_top;
+                 return (err);
+         }
+ 
+         if ((err = fetchprop(cur, DTD_ATTR_LOWER,
+             tabptr->zone_secflags_lower,
+             sizeof (tabptr->zone_secflags_lower))) != Z_OK) {
+                 handle->zone_dh_cur = handle->zone_dh_top;
+                 return (err);
+         }
+ 
+         if ((err = fetchprop(cur, DTD_ATTR_UPPER,
+             tabptr->zone_secflags_upper,
+             sizeof (tabptr->zone_secflags_upper))) != Z_OK) {
+                 handle->zone_dh_cur = handle->zone_dh_top;
+                 return (err);
+         }
+ 
+         handle->zone_dh_cur = cur->next;
+ 
+         (void) zonecfg_endent(handle);
+ 
+         return (err);
+ }
+ 
  static int
  getmcapent_core(zone_dochandle_t handle, struct zone_mcaptab *tabptr)
  {
          xmlNodePtr cur;
          int err;