Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
@@ -95,10 +95,11 @@
#define DTD_ELEM_MCAP (const xmlChar *) "mcap"
#define DTD_ELEM_PACKAGE (const xmlChar *) "package"
#define DTD_ELEM_OBSOLETES (const xmlChar *) "obsoletes"
#define DTD_ELEM_DEV_PERM (const xmlChar *) "dev-perm"
#define DTD_ELEM_ADMIN (const xmlChar *) "admin"
+#define DTD_ELEM_SECFLAGS (const xmlChar *) "security-flags"
#define DTD_ATTR_ACTION (const xmlChar *) "action"
#define DTD_ATTR_ADDRESS (const xmlChar *) "address"
#define DTD_ATTR_ALLOWED_ADDRESS (const xmlChar *) "allowed-address"
#define DTD_ATTR_AUTOBOOT (const xmlChar *) "autoboot"
@@ -132,10 +133,14 @@
#define DTD_ATTR_BRAND (const xmlChar *) "brand"
#define DTD_ATTR_HOSTID (const xmlChar *) "hostid"
#define DTD_ATTR_USER (const xmlChar *) "user"
#define DTD_ATTR_AUTHS (const xmlChar *) "auths"
#define DTD_ATTR_FS_ALLOWED (const xmlChar *) "fs-allowed"
+#define DTD_ATTR_DEFAULT (const xmlChar *) "default"
+#define DTD_ATTR_LOWER (const xmlChar *) "lower"
+#define DTD_ATTR_UPPER (const xmlChar *) "upper"
+
#define DTD_ENTITY_BOOLEAN "boolean"
#define DTD_ENTITY_DEVPATH "devpath"
#define DTD_ENTITY_DRIVER "driver"
#define DTD_ENTITY_DRVMIN "drv_min"
@@ -2633,10 +2638,11 @@
zonename)) != Z_OK)
return (err);
return (Z_OK);
}
+
static int
zonecfg_delete_auth_core(zone_dochandle_t handle, struct zone_admintab *tabptr,
char *zonename)
{
xmlNodePtr cur = handle->zone_dh_cur;
@@ -2745,10 +2751,163 @@
return (err);
return (Z_OK);
}
+static int
+zonecfg_add_secflags_core(zone_dochandle_t handle,
+ struct zone_secflagstab *tabptr)
+{
+ xmlNodePtr newnode, cur = handle->zone_dh_cur;
+ int err;
+
+ newnode = xmlNewTextChild(cur, NULL, DTD_ELEM_SECFLAGS, NULL);
+ err = newprop(newnode, DTD_ATTR_DEFAULT, tabptr->zone_secflags_default);
+ if (err != Z_OK)
+ return (err);
+ err = newprop(newnode, DTD_ATTR_LOWER, tabptr->zone_secflags_lower);
+ if (err != Z_OK)
+ return (err);
+ err = newprop(newnode, DTD_ATTR_UPPER, tabptr->zone_secflags_upper);
+ if (err != Z_OK)
+ return (err);
+
+ return (Z_OK);
+}
+
+int
+zonecfg_add_secflags(zone_dochandle_t handle, struct zone_secflagstab *tabptr)
+{
+ int err;
+
+
+ if (tabptr == NULL)
+ return (Z_INVAL);
+
+ if ((err = operation_prep(handle)) != Z_OK)
+ return (err);
+
+ if ((err = zonecfg_add_secflags_core(handle, tabptr)) != Z_OK)
+ return (err);
+
+ return (Z_OK);
+}
+
+static int
+zonecfg_delete_secflags_core(zone_dochandle_t handle,
+ struct zone_secflagstab *tabptr)
+{
+ xmlNodePtr cur = handle->zone_dh_cur;
+ boolean_t def_match, low_match, up_match;
+
+ for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
+ if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) != 0)
+ continue;
+
+ def_match = match_prop(cur, DTD_ATTR_DEFAULT,
+ tabptr->zone_secflags_default);
+ low_match = match_prop(cur, DTD_ATTR_LOWER,
+ tabptr->zone_secflags_lower);
+ up_match = match_prop(cur, DTD_ATTR_UPPER,
+ tabptr->zone_secflags_upper);
+
+ if (def_match && low_match && up_match) {
+ xmlUnlinkNode(cur);
+ xmlFreeNode(cur);
+ return (Z_OK);
+ }
+
+ }
+ return (Z_NO_RESOURCE_ID);
+}
+
+int
+zonecfg_delete_secflags(zone_dochandle_t handle,
+ struct zone_secflagstab *tabptr)
+{
+ int err;
+
+ if (tabptr == NULL)
+ return (Z_INVAL);
+
+ if ((err = operation_prep(handle)) != Z_OK)
+ return (err);
+
+ if ((err = zonecfg_delete_secflags_core(handle, tabptr)) != Z_OK)
+ return (err);
+
+ return (Z_OK);
+}
+
+int
+zonecfg_modify_secflags(zone_dochandle_t handle,
+ struct zone_secflagstab *oldtabptr,
+ struct zone_secflagstab *newtabptr)
+{
+ int err;
+
+ if (oldtabptr == NULL || newtabptr == NULL)
+ return (Z_INVAL);
+
+ if ((err = operation_prep(handle)) != Z_OK)
+ return (err);
+
+ if ((err = zonecfg_delete_secflags_core(handle, oldtabptr))
+ != Z_OK)
+ return (err);
+
+ if ((err = zonecfg_add_secflags_core(handle, newtabptr)) != Z_OK)
+ return (err);
+
+ return (Z_OK);
+}
+
+int
+zonecfg_lookup_secflags(zone_dochandle_t handle,
+ struct zone_secflagstab *tabptr)
+{
+ xmlNodePtr cur;
+ int err;
+
+ if (tabptr == NULL)
+ return (Z_INVAL);
+
+ if ((err = operation_prep(handle)) != Z_OK)
+ return (err);
+
+ cur = handle->zone_dh_cur;
+
+ for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) {
+ if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) != 0)
+ continue;
+
+ if ((err = fetchprop(cur, DTD_ATTR_DEFAULT,
+ tabptr->zone_secflags_default,
+ sizeof (tabptr->zone_secflags_default))) != Z_OK) {
+ handle->zone_dh_cur = handle->zone_dh_top;
+ return (err);
+ }
+
+ if ((err = fetchprop(cur, DTD_ATTR_LOWER,
+ tabptr->zone_secflags_lower,
+ sizeof (tabptr->zone_secflags_lower))) != Z_OK) {
+ handle->zone_dh_cur = handle->zone_dh_top;
+ return (err);
+ }
+
+ if ((err = fetchprop(cur, DTD_ATTR_UPPER,
+ tabptr->zone_secflags_upper,
+ sizeof (tabptr->zone_secflags_upper))) != Z_OK) {
+ handle->zone_dh_cur = handle->zone_dh_top;
+ return (err);
+ }
+
+ return (Z_OK);
+ }
+
+ return (Z_NO_ENTRY);
+}
/* Lock to serialize all devwalks */
static pthread_mutex_t zonecfg_devwalk_lock = PTHREAD_MUTEX_INITIALIZER;
/*
* Global variables used to pass data from zonecfg_dev_manifest to the nftw
@@ -2928,11 +3087,12 @@
* If the callback function returns non-zero zonecfg_find_mounts
* aborts with an error.
*/
int
zonecfg_find_mounts(char *rootpath, int (*callback)(const struct mnttab *,
- void *), void *priv) {
+ void *), void *priv)
+{
FILE *mnttab;
struct mnttab m;
size_t l;
int zfsl;
int rv = 0;
@@ -6919,10 +7079,65 @@
}
return (Z_NO_ENTRY);
}
+int
+zonecfg_getsecflagsent(zone_dochandle_t handle,
+ struct zone_secflagstab *tabptr)
+{
+ int err;
+ xmlNodePtr cur;
+
+ if (handle == NULL)
+ return (Z_INVAL);
+
+ if ((err = zonecfg_setent(handle)) != Z_OK)
+ return (err);
+
+
+ if ((cur = handle->zone_dh_cur) == NULL)
+ return (Z_NO_ENTRY);
+
+ for (; cur != NULL; cur = cur->next) {
+ if (xmlStrcmp(cur->name, DTD_ELEM_SECFLAGS) == 0)
+ break;
+ }
+
+ if (cur == NULL) {
+ handle->zone_dh_cur = handle->zone_dh_top;
+ return (Z_NO_ENTRY);
+ }
+
+ if ((err = fetchprop(cur, DTD_ATTR_DEFAULT,
+ tabptr->zone_secflags_default,
+ sizeof (tabptr->zone_secflags_default))) != Z_OK) {
+ handle->zone_dh_cur = handle->zone_dh_top;
+ return (err);
+ }
+
+ if ((err = fetchprop(cur, DTD_ATTR_LOWER,
+ tabptr->zone_secflags_lower,
+ sizeof (tabptr->zone_secflags_lower))) != Z_OK) {
+ handle->zone_dh_cur = handle->zone_dh_top;
+ return (err);
+ }
+
+ if ((err = fetchprop(cur, DTD_ATTR_UPPER,
+ tabptr->zone_secflags_upper,
+ sizeof (tabptr->zone_secflags_upper))) != Z_OK) {
+ handle->zone_dh_cur = handle->zone_dh_top;
+ return (err);
+ }
+
+ handle->zone_dh_cur = cur->next;
+
+ (void) zonecfg_endent(handle);
+
+ return (err);
+}
+
static int
getmcapent_core(zone_dochandle_t handle, struct zone_mcaptab *tabptr)
{
xmlNodePtr cur;
int err;