Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 305,314 **** --- 305,332 ---- used as a token to indicate the home directory of the user whose uid is used to launch the method. If the property is unset, :home is used. + security_flags + + The security flags to apply when launching the method. See + security-flags(5). + + + The "default" keyword specifies those flags specified in + svc:/system/process-security. The "all" keyword enables all flags, + the "none" keyword enables no flags. Further flags may be added by + specifying their name, or removed by specifying their name prefixed + by '-' or '!'. + + + Use of "all" has associated risks, as future versions of the system + may include further flags which may harm poorly implemented + software. + + corefile_pattern An optional string that specifies the corefile pattern to use for the service, as per coreadm(1M). Most restarters supply a default. Setting this property overrides local customizations to the global
*** 370,380 **** SEE ALSO zonename(1), coreadm(1M), inetd(1M), svccfg(1M), svc.startd(1M), exec(2), fork(2), getdefaultproj(3PROJECT), exec_attr(4), project(4), service_bundle(4), attributes(5), privileges(5), rbac(5), smf(5), ! smf_bootstrap(5), zones(5) NOTES The present version of smf(5) does not support multiple repositories. --- 388,398 ---- SEE ALSO zonename(1), coreadm(1M), inetd(1M), svccfg(1M), svc.startd(1M), exec(2), fork(2), getdefaultproj(3PROJECT), exec_attr(4), project(4), service_bundle(4), attributes(5), privileges(5), rbac(5), smf(5), ! smf_bootstrap(5), zones(5), security-flags(5) NOTES The present version of smf(5) does not support multiple repositories.
*** 383,388 **** aware. This can be surprising to developers who expect seteuid(<non- zero UID>) to reduce privileges to basic or less. ! May 20, 2009 SMF_METHOD(5) --- 401,406 ---- aware. This can be surprising to developers who expect seteuid(<non- zero UID>) to reduce privileges to basic or less. ! June 6, 2016 SMF_METHOD(5)