Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

Split Close
Expand all
Collapse all
          --- old/usr/src/uts/common/sys/zone.h
          +++ new/usr/src/uts/common/sys/zone.h
↓ open down ↓ 32 lines elided ↑ open up ↑
  33   33  #include <sys/param.h>
  34   34  #include <sys/rctl.h>
  35   35  #include <sys/ipc_rctl.h>
  36   36  #include <sys/pset.h>
  37   37  #include <sys/tsol/label.h>
  38   38  #include <sys/cred.h>
  39   39  #include <sys/netstack.h>
  40   40  #include <sys/uadmin.h>
  41   41  #include <sys/ksynch.h>
  42   42  #include <sys/socket_impl.h>
       43 +#include <sys/secflags.h>
  43   44  #include <netinet/in.h>
  44   45  
  45   46  #ifdef  __cplusplus
  46   47  extern "C" {
  47   48  #endif
  48   49  
  49   50  /*
  50   51   * NOTE
  51   52   *
  52   53   * The contents of this file are private to the implementation of
↓ open down ↓ 44 lines elided ↑ open up ↑
  97   98  #define ZONE_ATTR_INITNAME      9
  98   99  #define ZONE_ATTR_BOOTARGS      10
  99  100  #define ZONE_ATTR_BRAND         11
 100  101  #define ZONE_ATTR_PHYS_MCAP     12
 101  102  #define ZONE_ATTR_SCHED_CLASS   13
 102  103  #define ZONE_ATTR_FLAGS         14
 103  104  #define ZONE_ATTR_HOSTID        15
 104  105  #define ZONE_ATTR_FS_ALLOWED    16
 105  106  #define ZONE_ATTR_NETWORK       17
 106  107  #define ZONE_ATTR_INITNORESTART 20
      108 +#define ZONE_ATTR_SECFLAGS      21
 107  109  
 108  110  /* Start of the brand-specific attribute namespace */
 109  111  #define ZONE_ATTR_BRAND_ATTRS   32768
 110  112  
 111  113  #define ZONE_FS_ALLOWED_MAX     1024
 112  114  
 113  115  #define ZONE_EVENT_CHANNEL      "com.sun:zones:status"
 114  116  #define ZONE_EVENT_STATUS_CLASS "status"
 115  117  #define ZONE_EVENT_STATUS_SUBCLASS      "change"
 116  118  
↓ open down ↓ 454 lines elided ↑ open up ↑
 571  573  
 572  574          kmutex_t        zone_mcap_lock; /* protects mcap statistics */
 573  575          kstat_t         *zone_mcap_ksp;
 574  576          zone_mcap_kstat_t *zone_mcap_stats;
 575  577          uint64_t        zone_pgpgin;            /* pages paged in */
 576  578          uint64_t        zone_anonpgin;          /* anon pages paged in */
 577  579          uint64_t        zone_execpgin;          /* exec pages paged in */
 578  580          uint64_t        zone_fspgin;            /* fs pages paged in */
 579  581          uint64_t        zone_anon_alloc_fail;   /* cnt of anon alloc fails */
 580  582  
      583 +        psecflags_t     zone_secflags; /* default zone security-flags */
      584 +
 581  585          /*
 582  586           * Misc. kstats and counters for zone cpu-usage aggregation.
 583  587           * The zone_Xtime values are the sum of the micro-state accounting
 584  588           * values for all threads that are running or have run in the zone.
 585  589           * This is tracked in msacct.c as threads change state.
 586  590           * The zone_stime is the sum of the LMS_SYSTEM times.
 587  591           * The zone_utime is the sum of the LMS_USER times.
 588  592           * The zone_wtime is the sum of the LMS_WAIT_CPU times.
 589  593           * As with per-thread micro-state accounting values, these values are
 590  594           * not scaled to nanosecs.  The scaling is done by the
↓ open down ↓ 273 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX