Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
*** 305,314 ****
--- 305,332 ----
used as a token to indicate the home directory of the user whose
uid is used to launch the method. If the property is unset, :home
is used.
+ security_flags
+
+ The security flags to apply when launching the method. See
+ security-flags(5).
+
+
+ The "default" keyword specifies those flags specified in
+ svc:/system/process-security. The "all" keyword enables all flags,
+ the "none" keyword enables no flags. Further flags may be added by
+ specifying their name, or removed by specifying their name prefixed
+ by '-' or '!'.
+
+
+ Use of "all" has associated risks, as future versions of the system
+ may include further flags which may harm poorly implemented
+ software.
+
+
corefile_pattern
An optional string that specifies the corefile pattern to use for
the service, as per coreadm(1M). Most restarters supply a default.
Setting this property overrides local customizations to the global
*** 370,380 ****
SEE ALSO
zonename(1), coreadm(1M), inetd(1M), svccfg(1M), svc.startd(1M),
exec(2), fork(2), getdefaultproj(3PROJECT), exec_attr(4), project(4),
service_bundle(4), attributes(5), privileges(5), rbac(5), smf(5),
! smf_bootstrap(5), zones(5)
NOTES
The present version of smf(5) does not support multiple repositories.
--- 388,398 ----
SEE ALSO
zonename(1), coreadm(1M), inetd(1M), svccfg(1M), svc.startd(1M),
exec(2), fork(2), getdefaultproj(3PROJECT), exec_attr(4), project(4),
service_bundle(4), attributes(5), privileges(5), rbac(5), smf(5),
! smf_bootstrap(5), zones(5), security-flags(5)
NOTES
The present version of smf(5) does not support multiple repositories.
*** 383,388 ****
aware. This can be surprising to developers who expect seteuid(<non-
zero UID>) to reduce privileges to basic or less.
! May 20, 2009 SMF_METHOD(5)
--- 401,406 ----
aware. This can be surprising to developers who expect seteuid(<non-
zero UID>) to reduce privileges to basic or less.
! June 6, 2016 SMF_METHOD(5)