Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 725,735 **** * QUESTION: */ void audit_closef(struct file *fp) ! { /* AUDIT_CLOSEF */ f_audit_data_t *fad; t_audit_data_t *tad; int success; au_state_t estate; struct vnode *vp; --- 725,735 ---- * QUESTION: */ void audit_closef(struct file *fp) ! { f_audit_data_t *fad; t_audit_data_t *tad; int success; au_state_t estate; struct vnode *vp;
*** 1596,1609 **** } /*ARGSUSED*/ void ! audit_fdsend(fd, fp, error) ! int fd; ! struct file *fp; ! int error; /* ignore for now */ { t_audit_data_t *tad; /* current thread */ f_audit_data_t *fad; /* per file audit structure */ struct vnode *vp; /* for file attributes */ --- 1596,1606 ---- } /*ARGSUSED*/ void ! audit_fdsend(int fd, struct file *fp, int error) { t_audit_data_t *tad; /* current thread */ f_audit_data_t *fad; /* per file audit structure */ struct vnode *vp; /* for file attributes */
*** 1671,1680 **** --- 1668,1742 ---- priv_addset(target, priv); } } /* + * Audit the psecflags() system call; the set name, current value, and delta + * are put in the audit trail. + */ + void + audit_psecflags(proc_t *p, + psecflagwhich_t which, + const secflagdelta_t *psd) + { + t_audit_data_t *tad; + secflagset_t new; + const secflagset_t *old; + const char *s; + cred_t *cr; + pid_t pid; + const auditinfo_addr_t *ainfo; + const psecflags_t *psec = &p->p_secflags; + + tad = U2A(u); + + if (tad->tad_flag == 0) + return; + + switch (which) { + case PSF_EFFECTIVE: + s = "effective"; + old = &psec->psf_effective; + break; + case PSF_INHERIT: + s = "inherit"; + old = &psec->psf_inherit; + break; + case PSF_LOWER: + s = "lower"; + old = &psec->psf_lower; + break; + case PSF_UPPER: + s = "upper"; + old = &psec->psf_upper; + break; + } + + secflags_copy(&new, old); + secflags_apply_delta(&new, psd); + + au_uwrite(au_to_secflags(s, *old)); + au_uwrite(au_to_secflags(s, new)); + + ASSERT(mutex_owned(&p->p_lock)); + mutex_enter(&p->p_crlock); + + pid = p->p_pid; + crhold(cr = p->p_cred); + mutex_exit(&p->p_crlock); + + if ((ainfo = crgetauinfo(cr)) == NULL) { + crfree(cr); + return; + } + + AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid); + + crfree(cr); + } + + /* * Audit the setpriv() system call; the operation, the set name and * the current value as well as the set argument are put in the * audit trail. */ void
*** 1747,1759 **** } } /*ARGSUSED*/ void ! audit_fdrecv(fd, fp) ! int fd; ! struct file *fp; { t_audit_data_t *tad; /* current thread */ f_audit_data_t *fad; /* per file audit structure */ struct vnode *vp; /* for file attributes */ --- 1809,1819 ---- } } /*ARGSUSED*/ void ! audit_fdrecv(int fd, struct file *fp) { t_audit_data_t *tad; /* current thread */ f_audit_data_t *fad; /* per file audit structure */ struct vnode *vp; /* for file attributes */