Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -250,10 +250,17 @@
 struct zone_admintab {
         char    zone_admin_user[MAXUSERNAME];
         char    zone_admin_auths[MAXAUTHS];
 };
 
+#define ZONECFG_SECFLAGS_MAX    1024
+struct zone_secflagstab {
+        char zone_secflags_lower[ZONECFG_SECFLAGS_MAX];
+        char zone_secflags_upper[ZONECFG_SECFLAGS_MAX];
+        char zone_secflags_default[ZONECFG_SECFLAGS_MAX];
+};
+
 typedef struct zone_userauths {
         char                    user[MAXUSERNAME];
         char                    zonename[ZONENAME_MAX];
         struct zone_userauths   *next;
 } zone_userauths_t;

@@ -426,10 +433,20 @@
  */
 extern  int     zonecfg_delete_mcap(zone_dochandle_t);
 extern  int     zonecfg_modify_mcap(zone_dochandle_t, struct zone_mcaptab *);
 extern  int     zonecfg_lookup_mcap(zone_dochandle_t, struct zone_mcaptab *);
 
+/* security-flags configuration */
+extern  int     zonecfg_add_secflags(zone_dochandle_t,
+    struct zone_secflagstab *);
+extern  int     zonecfg_delete_secflags(zone_dochandle_t,
+    struct zone_secflagstab *);
+extern  int     zonecfg_modify_secflags(zone_dochandle_t,
+    struct zone_secflagstab *, struct zone_secflagstab *);
+extern  int     zonecfg_lookup_secflags(zone_dochandle_t,
+    struct zone_secflagstab *);
+
 /*
  * Temporary pool support functions.
  */
 extern  int     zonecfg_destroy_tmp_pool(char *, char *, int);
 extern  int     zonecfg_bind_tmp_pool(zone_dochandle_t, zoneid_t, char *, int);

@@ -493,10 +510,12 @@
     struct zone_devpermtab *);
 extern  int     zonecfg_enddevperment(zone_dochandle_t);
 extern  int     zonecfg_setadminent(zone_dochandle_t);
 extern  int     zonecfg_getadminent(zone_dochandle_t, struct zone_admintab *);
 extern  int     zonecfg_endadminent(zone_dochandle_t);
+extern  int     zonecfg_getsecflagsent(zone_dochandle_t,
+    struct zone_secflagstab *);
 
 /*
  * Privilege-related functions.
  */
 extern  int     zonecfg_default_privset(priv_set_t *, const char *);