Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

Split Close
Expand all
Collapse all
          --- old/usr/src/man/man1m/zonecfg.1m.man.txt
          +++ new/usr/src/man/man1m/zonecfg.1m.man.txt
↓ open down ↓ 97 lines elided ↑ open up ↑
  98   98         net
  99   99  
 100  100             Network interface.
 101  101  
 102  102  
 103  103         rctl
 104  104  
 105  105             Resource control.
 106  106  
 107  107  
      108 +       security-flags
      109 +
      110 +           Process security flag settings.
      111 +
      112 +
 108  113     Properties
 109  114         Each resource type has one or more properties. There are also some
 110  115         global properties, that is, properties of the configuration as a whole,
 111  116         rather than of some particular resource.
 112  117  
 113  118  
 114  119         The following properties are supported:
 115  120  
 116  121         (global)
 117  122  
↓ open down ↓ 113 lines elided ↑ open up ↑
 231  236         capped-memory
 232  237  
 233  238             physical, swap, locked
 234  239  
 235  240  
 236  241         capped-cpu
 237  242  
 238  243             ncpus
 239  244  
 240  245  
      246 +       security-flags
      247 +
      248 +           lower, default, upper.
      249 +
      250 +
 241  251  
 242  252         As for the property values which are paired with these names, they are
 243  253         either simple, complex, or lists. The type allowed is property-
 244  254         specific. Simple values are strings, optionally enclosed within
 245  255         quotation marks. Complex values have the syntax:
 246  256  
 247  257           (<name>=<value>,<name>=<value>,...)
 248  258  
 249  259  
 250  260  
↓ open down ↓ 274 lines elided ↑ open up ↑
 525  535             example, 1.25). An ncpu value of 1 means 100% of a CPU, a value of
 526  536             1.25 means 125%, .75 mean 75%, and so forth. When projects within a
 527  537             capped zone have their own caps, the minimum value takes
 528  538             precedence.
 529  539  
 530  540             The capped-cpu property is an alias for zone.cpu-cap resource
 531  541             control and is related to the zone.cpu-cap resource control. See
 532  542             resource_controls(5).
 533  543  
 534  544  
      545 +       security-flags: lower, default, upper
      546 +
      547 +           Set the process security flags associated with the zone.  The lower
      548 +           and upper fields set the limits, the default field is set of flags
      549 +           all zone processes inherit.
      550 +
      551 +
 535  552         global: fs-allowed
 536  553  
 537  554             A comma-separated list of additional filesystems that may be
 538  555             mounted within the zone; for example "ufs,pcfs". By default, only
 539  556             hsfs(7fs) and network filesystems can be mounted. If the first
 540  557             entry in the list is "-" then that disables all of the default
 541  558             filesystems. If any filesystems are listed after "-" then only
 542  559             those filesystems can be mounted.
 543  560  
 544  561             This property does not apply to filesystems mounted into the zone
↓ open down ↓ 39 lines elided ↑ open up ↑
 584  601                              value           simple
 585  602           dataset           name            simple
 586  603           dedicated-cpu     ncpus           simple or range
 587  604                              importance      simple
 588  605  
 589  606           capped-memory     physical        simple with scale
 590  607                              swap            simple with scale
 591  608                              locked          simple with scale
 592  609  
 593  610           capped-cpu        ncpus           simple
      611 +         security-flags   lower           simple
      612 +                            default        simple
      613 +                            upper          simple
 594  614  
 595  615  
 596  616  
 597  617  
 598  618         To further specify things, the breakdown of the complex property
 599  619         "value" of the "rctl" resource type, it consists of three name/value
 600  620         pairs, the names being "priv", "limit" and "action", each of which
 601  621         takes a simple value. The "name" property of an "attr" resource is
 602  622         syntactically restricted in a fashion similar but not identical to zone
 603  623         names: it must begin with an alphanumeric, and can contain
↓ open down ↓ 663 lines elided ↑ open up ↑
1267 1287         |  ATTRIBUTE TYPE    | ATTRIBUTE VALUE |
1268 1288         +--------------------+-----------------+
1269 1289         |Interface Stability | Volatile        |
1270 1290         +--------------------+-----------------+
1271 1291  
1272 1292  SEE ALSO
1273 1293         ppriv(1), prctl(1), zlogin(1), kstat(1M), mount(1M), pooladm(1M),
1274 1294         poolcfg(1M), poold(1M), rcapd(1M), rctladm(1M), svcadm(1M),
1275 1295         sysidtool(1M), zfs(1M), zoneadm(1M), priv_str_to_set(3C),
1276 1296         kstat(3KSTAT), vfstab(4), attributes(5), brands(5), fnmatch(5), lx(5),
1277      -       privileges(5), resource_controls(5), zones(5)
     1297 +       privileges(5), resource_controls(5), security-flags(5), zones(5)
1278 1298  
1279 1299  
1280 1300         System Administration Guide: Solaris Containers-Resource Management,
1281 1301         and Solaris Zones
1282 1302  
1283 1303  NOTES
1284 1304         All character data used by zonecfg must be in US-ASCII encoding.
1285 1305  
1286 1306  
1287 1307  
1288 1308                                 February 28, 2014                   ZONECFG(1M)
    
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX