il_7029-4 Cdiff usr/src/uts/common/os/priv.c

Print this page

7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


*** 87,98 ****
  #else
          int alloc_test_priv = priv_debug;
  #endif
          rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
  
!         PRIV_BASIC_ASSERT(priv_basic);
!         PRIV_UNSAFE_ASSERT(&priv_unsafe);
          priv_fillset(&priv_fullset);
  
          /*
           * When booting with priv_debug set or in a DEBUG kernel, then we'll
           * add an additional basic privilege and we verify that it is always
--- 87,98 ----
  #else
          int alloc_test_priv = priv_debug;
  #endif
          rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
  
!         PRIV_BASIC_ADDSET(priv_basic);
!         PRIV_UNSAFE_ADDSET(&priv_unsafe);
          priv_fillset(&priv_fullset);
  
          /*
           * When booting with priv_debug set or in a DEBUG kernel, then we'll
           * add an additional basic privilege and we verify that it is always
*** 478,502 ****
  
  void
  priv_addset(priv_set_t *set, int priv)
  {
          ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
!         __PRIV_ASSERT(set, priv);
  }
  
  void
  priv_delset(priv_set_t *set, int priv)
  {
          ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
!         __PRIV_CLEAR(set, priv);
  }
  
  boolean_t
  priv_ismember(const priv_set_t *set, int priv)
  {
          ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
!         return (__PRIV_ISASSERT(set, priv) ? B_TRUE : B_FALSE);
  }
  
  #define PRIV_TEST_BODY(test) \
          int i; \
  \
--- 478,502 ----
  
  void
  priv_addset(priv_set_t *set, int priv)
  {
          ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
!         __PRIV_ADDSET(set, priv);
  }
  
  void
  priv_delset(priv_set_t *set, int priv)
  {
          ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
!         __PRIV_DELSET(set, priv);
  }
  
  boolean_t
  priv_ismember(const priv_set_t *set, int priv)
  {
          ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
!         return (__PRIV_ISMEMBER(set, priv) ? B_TRUE : B_FALSE);
  }
  
  #define PRIV_TEST_BODY(test) \
          int i; \
  \