Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/libzonecfg/dtd/zonecfg.dtd.1.man.txt
+++ new/usr/src/lib/libzonecfg/dtd/zonecfg.dtd.1.man.txt
1 1 () ()
2 2
3 3
4 4
5 5 <?xml version='1.0' encoding='UTF-8' ?>
6 6
7 7 <!--
8 8 CDDL HEADER START
9 9
10 10 The contents of this file are subject to the terms of the
11 11 Common Development and Distribution License (the "License").
12 12 You may not use this file except in compliance with the License.
13 13
14 14 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
15 15 or http://www.opensolaris.org/os/licensing.
16 16 See the License for the specific language governing permissions
17 17 and limitations under the License.
18 18
19 19 When distributing Covered Code, include this CDDL HEADER in each
20 20 file and include the License file at usr/src/OPENSOLARIS.LICENSE.
21 21 If applicable, add the following below this CDDL HEADER, with the
22 22 fields enclosed by brackets "[]" replaced with your own identifying
23 23 information: Portions Copyright [yyyy] [name of copyright owner]
24 24
25 25 CDDL HEADER END
26 26
27 27 Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
28 28
29 29 -->
30 30
31 31 <!--Element Definitions-->
32 32
33 33 <!ELEMENT fsoption EMPTY> <!ATTLIST fsoption name CDATA #REQUIRED>
34 34
35 35 <!ELEMENT filesystem (fsoption)* >
36 36
37 37 <!ATTLIST filesystem special CDATA #REQUIRED raw
38 38 CDATA "" directory CDATA #REQUIRED type CDATA
39 39 #REQUIRED>
40 40
41 41 <!--
42 42 The "inherited-pkg-dir" element may no longer be specified in a
43 43 configuration, however we retain the definition to aid with migration
44 44 of existing configurations. -->
45 45
46 46 <!ELEMENT inherited-pkg-dir EMPTY>
47 47
48 48 <!ATTLIST inherited-pkg-dir directory CDATA #REQUIRED>
49 49
50 50 <!ELEMENT network EMPTY>
51 51
52 52 <!ATTLIST network address CDATA "" allowed-address
53 53 CDATA "" defrouter CDATA "" physical CDATA #REQUIRED>
54 54
55 55 <!ELEMENT device EMPTY>
56 56
57 57 <!ATTLIST device match CDATA #REQUIRED>
58 58
59 59 <!-- Historically, the deleted-device element denoted a used-to-be
60 60 device element. This was used to keep track of device elements deleted or
61 61 modified by the user, and to cleanse /dev of such entries at next zone
62 62 boot.
63 63
64 64 With the ability to now configure devices dynamically, this
65 65 requirement no longer exists, but this element MUST remain in perpetuity,
66 66 since it is possible that an upgraded zone could carry a deleted-device
67 67 element, and would therefore fail XML validation if removed --> <!ELEMENT
68 68 deleted-device EMPTY>
69 69
70 70 <!ATTLIST deleted-device match CDATA #REQUIRED>
71 71
72 72 <!ELEMENT rctl-value EMPTY>
73 73
74 74 <!ATTLIST rctl-value priv CDATA #REQUIRED limit
75 75 CDATA #REQUIRED action CDATA #REQUIRED>
76 76
77 77 <!ELEMENT rctl (rctl-value)*>
78 78
79 79 <!ATTLIST rctl name CDATA #REQUIRED>
80 80
81 81 <!ELEMENT attr EMPTY>
82 82
83 83 <!ATTLIST attr name CDATA #REQUIRED type (boolean
84 84 | int | string | uint) #REQUIRED value
85 85 CDATA #REQUIRED>
86 86
87 87 <!ELEMENT dataset EMPTY>
88 88
89 89 <!ATTLIST dataset name CDATA #REQUIRED>
90 90
91 91 <!ELEMENT package EMPTY>
92 92
93 93 <!ATTLIST package name CDATA #REQUIRED version
94 94 CDATA #REQUIRED>
95 95
96 96 <!ELEMENT obsoletes EMPTY> <!ATTLIST obsoletes id CDATA #REQUIRED>
97 97
98 98 <!ELEMENT incompatible EMPTY> <!ATTLIST incompatible id CDATA
99 99 #REQUIRED>
100 100
101 101 <!ELEMENT patch (obsoletes | incompatible)* >
102 102
103 103 <!ATTLIST patch id CDATA #REQUIRED>
104 104
105 105 <!ELEMENT dev-perm EMPTY>
106 106
107 107 <!ATTLIST dev-perm name CDATA #REQUIRED uid CDATA
108 108 #REQUIRED gid CDATA #REQUIRED mode
109 109 CDATA #REQUIRED acl CDATA #REQUIRED>
110 110
111 111 <!-- The tmp_pool element is separate from the pset element so that we
112 112 can track the importance value at the pool level, where it belongs, instead
113 113 of at the pset level. Once we have msets this will be important since tmp
114 114 psets and tmp msets will share a common pool-level importance. -->
115 115 <!ELEMENT tmp_pool EMPTY>
116 116
117 117 <!ATTLIST tmp_pool importance CDATA #REQUIRED>
118 118
119 119 <!ELEMENT pset EMPTY>
120 120
121 121 <!ATTLIST pset ncpu_min CDATA #REQUIRED ncpu_max CDATA
122 122 #REQUIRED>
|
↓ open down ↓ |
122 lines elided |
↑ open up ↑ |
123 123
124 124 <!ELEMENT mcap EMPTY>
125 125
126 126 <!ATTLIST mcap physcap CDATA #REQUIRED>
127 127
128 128 <!ELEMENT admin EMPTY>
129 129
130 130 <!ATTLIST admin user CDATA #REQUIRED
131 131 auths CDATA #REQUIRED>
132 132
133 +<!ELEMENT security-flags EMPTY>
134 +
135 +<!ATTLIST security-flags default CDATA "" lower
136 + CDATA "" upper CDATA "">
137 +
133 138 <!ELEMENT zone (filesystem | inherited-pkg-dir | network | device |
134 139 deleted-device | rctl | attr | dataset | package | patch | dev-
135 -perm | tmp_pool | pset | mcap | admin)*>
140 +perm | tmp_pool | pset | mcap | admin | security-flags)*>
136 141
137 142 <!ATTLIST zone name CDATA #REQUIRED zonepath CDATA
138 143 #REQUIRED autoboot (true | false) #REQUIRED ip-
139 144 type CDATA "" hostid CDATA "" pool
140 145 CDATA "" limitpriv CDATA "" bootargs CDATA ""
141 146 brand CDATA "" scheduling-class CDATA "" fs-
142 147 allowed CDATA "" version NMTOKEN #FIXED '1'>
143 148
144 149
145 150
146 151 June 2, 2016 ()
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX