Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/libzonecfg/dtd/zonecfg.dtd.1
+++ new/usr/src/lib/libzonecfg/dtd/zonecfg.dtd.1
1 1 <?xml version='1.0' encoding='UTF-8' ?>
2 2
3 3 <!--
4 4 CDDL HEADER START
5 5
6 6 The contents of this file are subject to the terms of the
7 7 Common Development and Distribution License (the "License").
8 8 You may not use this file except in compliance with the License.
9 9
10 10 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11 11 or http://www.opensolaris.org/os/licensing.
12 12 See the License for the specific language governing permissions
13 13 and limitations under the License.
14 14
15 15 When distributing Covered Code, include this CDDL HEADER in each
16 16 file and include the License file at usr/src/OPENSOLARIS.LICENSE.
17 17 If applicable, add the following below this CDDL HEADER, with the
18 18 fields enclosed by brackets "[]" replaced with your own identifying
19 19 information: Portions Copyright [yyyy] [name of copyright owner]
20 20
21 21 CDDL HEADER END
22 22
23 23 Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 24
25 25 -->
26 26
27 27 <!--Element Definitions-->
28 28
29 29 <!ELEMENT fsoption EMPTY>
30 30 <!ATTLIST fsoption name CDATA #REQUIRED>
31 31
32 32 <!ELEMENT filesystem (fsoption)* >
33 33
34 34 <!ATTLIST filesystem special CDATA #REQUIRED
35 35 raw CDATA ""
36 36 directory CDATA #REQUIRED
37 37 type CDATA #REQUIRED>
38 38
39 39 <!--
40 40 The "inherited-pkg-dir" element may no longer be specified in a
41 41 configuration, however we retain the definition to aid with migration
42 42 of existing configurations.
43 43 -->
44 44
45 45 <!ELEMENT inherited-pkg-dir EMPTY>
46 46
47 47 <!ATTLIST inherited-pkg-dir directory CDATA #REQUIRED>
48 48
49 49 <!ELEMENT network EMPTY>
50 50
51 51 <!ATTLIST network address CDATA ""
52 52 allowed-address CDATA ""
53 53 defrouter CDATA ""
54 54 physical CDATA #REQUIRED>
55 55
56 56 <!ELEMENT device EMPTY>
57 57
58 58 <!ATTLIST device match CDATA #REQUIRED>
59 59
60 60 <!--
61 61 Historically, the deleted-device element denoted a used-to-be
62 62 device element. This was used to keep track of device elements
63 63 deleted or modified by the user, and to cleanse /dev of such
64 64 entries at next zone boot.
65 65
66 66 With the ability to now configure devices dynamically, this
67 67 requirement no longer exists, but this element MUST remain in
68 68 perpetuity, since it is possible that an upgraded zone could
69 69 carry a deleted-device element, and would therefore fail XML
70 70 validation if removed
71 71 -->
72 72 <!ELEMENT deleted-device EMPTY>
73 73
74 74 <!ATTLIST deleted-device match CDATA #REQUIRED>
75 75
76 76 <!ELEMENT rctl-value EMPTY>
77 77
78 78 <!ATTLIST rctl-value priv CDATA #REQUIRED
79 79 limit CDATA #REQUIRED
80 80 action CDATA #REQUIRED>
81 81
82 82 <!ELEMENT rctl (rctl-value)*>
83 83
84 84 <!ATTLIST rctl name CDATA #REQUIRED>
85 85
86 86 <!ELEMENT attr EMPTY>
87 87
88 88 <!ATTLIST attr name CDATA #REQUIRED
89 89 type (boolean | int | string | uint)
90 90 #REQUIRED
91 91 value CDATA #REQUIRED>
92 92
93 93 <!ELEMENT dataset EMPTY>
94 94
95 95 <!ATTLIST dataset name CDATA #REQUIRED>
96 96
97 97 <!ELEMENT package EMPTY>
98 98
99 99 <!ATTLIST package name CDATA #REQUIRED
100 100 version CDATA #REQUIRED>
101 101
102 102 <!ELEMENT obsoletes EMPTY>
103 103 <!ATTLIST obsoletes id CDATA #REQUIRED>
104 104
105 105 <!ELEMENT incompatible EMPTY>
106 106 <!ATTLIST incompatible id CDATA #REQUIRED>
107 107
108 108 <!ELEMENT patch (obsoletes | incompatible)* >
109 109
110 110 <!ATTLIST patch id CDATA #REQUIRED>
111 111
112 112 <!ELEMENT dev-perm EMPTY>
113 113
114 114 <!ATTLIST dev-perm name CDATA #REQUIRED
115 115 uid CDATA #REQUIRED
116 116 gid CDATA #REQUIRED
117 117 mode CDATA #REQUIRED
118 118 acl CDATA #REQUIRED>
119 119
120 120 <!--
121 121 The tmp_pool element is separate from the pset element so that
122 122 we can track the importance value at the pool level, where it
123 123 belongs, instead of at the pset level. Once we have msets this
124 124 will be important since tmp psets and tmp msets will share a common
125 125 pool-level importance.
126 126 -->
127 127 <!ELEMENT tmp_pool EMPTY>
128 128
129 129 <!ATTLIST tmp_pool importance CDATA #REQUIRED>
130 130
131 131 <!ELEMENT pset EMPTY>
132 132
133 133 <!ATTLIST pset ncpu_min CDATA #REQUIRED
134 134 ncpu_max CDATA #REQUIRED>
|
↓ open down ↓ |
134 lines elided |
↑ open up ↑ |
135 135
136 136 <!ELEMENT mcap EMPTY>
137 137
138 138 <!ATTLIST mcap physcap CDATA #REQUIRED>
139 139
140 140 <!ELEMENT admin EMPTY>
141 141
142 142 <!ATTLIST admin user CDATA #REQUIRED
143 143 auths CDATA #REQUIRED>
144 144
145 +<!ELEMENT security-flags EMPTY>
146 +
147 +<!ATTLIST security-flags default CDATA ""
148 + lower CDATA ""
149 + upper CDATA "">
150 +
145 151 <!ELEMENT zone (filesystem | inherited-pkg-dir | network | device |
146 152 deleted-device | rctl | attr | dataset | package |
147 153 patch | dev-perm | tmp_pool | pset |
148 - mcap | admin)*>
154 + mcap | admin | security-flags)*>
149 155
150 156 <!ATTLIST zone name CDATA #REQUIRED
151 157 zonepath CDATA #REQUIRED
152 158 autoboot (true | false) #REQUIRED
153 159 ip-type CDATA ""
154 160 hostid CDATA ""
155 161 pool CDATA ""
156 162 limitpriv CDATA ""
157 163 bootargs CDATA ""
158 164 brand CDATA ""
159 165 scheduling-class CDATA ""
160 166 fs-allowed CDATA ""
161 167 version NMTOKEN #FIXED '1'>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX