il_7029 Cdiff usr/src/cmd/svc/svccfg/svccfg

Print this page

7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


*** 9514,9523 ****
--- 9514,9525 ----
              SCF_SUCCESS ||
              scf_pg_get_property(pg, SCF_PROPERTY_PROJECT, NULL) ==
              SCF_SUCCESS ||
              scf_pg_get_property(pg, SCF_PROPERTY_RESOURCE_POOL, NULL) ==
              SCF_SUCCESS ||
+             scf_pg_get_property(pg, SCF_PROPERTY_SECFLAGS, NULL) ==
+             SCF_SUCCESS ||
              scf_pg_get_property(pg, SCF_PROPERTY_USE_PROFILE, NULL) ==
              SCF_SUCCESS;
  
          if (nonenv) {
                  ctxt = xmlNewNode(NULL, (xmlChar *)"method_context");
*** 9538,9547 ****
--- 9540,9555 ----
                  if (pg_get_prop(pg, SCF_PROPERTY_RESOURCE_POOL, exp_prop) ==
                      0 &&
                      set_attr_from_prop_default(exp_prop, ctxt,
                      "resource_pool", ":default") != 0)
                          err = 1;
+ 
+                 if (pg_get_prop(pg, SCF_PROPERTY_SECFLAGS, exp_prop) == 0 &&
+                     set_attr_from_prop_default(exp_prop, ctxt,
+                     "security_flags", ":default") != 0)
+                         err = 1;
+ 
                  /*
                   * We only want to complain about profile or credential
                   * properties if we will use them.  To determine that we must
                   * examine USE_PROFILE.
                   */
*** 9660,9670 ****
                                  continue;
                  } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0 ||
                      strcmp(exp_str, SCF_PROPERTY_GROUP) == 0 ||
                      strcmp(exp_str, SCF_PROPERTY_SUPP_GROUPS) == 0 ||
                      strcmp(exp_str, SCF_PROPERTY_PRIVILEGES) == 0 ||
!                     strcmp(exp_str, SCF_PROPERTY_LIMIT_PRIVILEGES) == 0) {
                          if (nonenv && !use_profile)
                                  continue;
                  } else if (strcmp(exp_str, SCF_PROPERTY_PROFILE) == 0) {
                          if (nonenv && use_profile)
                                  continue;
--- 9668,9679 ----
                                  continue;
                  } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0 ||
                      strcmp(exp_str, SCF_PROPERTY_GROUP) == 0 ||
                      strcmp(exp_str, SCF_PROPERTY_SUPP_GROUPS) == 0 ||
                      strcmp(exp_str, SCF_PROPERTY_PRIVILEGES) == 0 ||
!                     strcmp(exp_str, SCF_PROPERTY_LIMIT_PRIVILEGES) == 0 ||
!                     strcmp(exp_str, SCF_PROPERTY_SECFLAGS) == 0) {
                          if (nonenv && !use_profile)
                                  continue;
                  } else if (strcmp(exp_str, SCF_PROPERTY_PROFILE) == 0) {
                          if (nonenv && use_profile)
                                  continue;
*** 9846,9855 ****
--- 9855,9868 ----
                                  err = 1;
                  } else if (strcmp(exp_str, SCF_PROPERTY_RESOURCE_POOL) == 0) {
                          if (set_attr_from_prop(exp_prop, n,
                              "resource_pool") != 0)
                                  err = 1;
+                 } else if (strcmp(exp_str, SCF_PROPERTY_SECFLAGS) == 0) {
+                         if (set_attr_from_prop(exp_prop, n,
+                             "security_flags") != 0)
+                                 err = 1;
                  } else if (strcmp(exp_str, SCF_PROPERTY_USE_PROFILE) == 0) {
                          /* EMPTY */
                  } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0) {
                          if (use_profile ||
                              set_attr_from_prop(exp_prop, cred, "user") != 0)