Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
@@ -27,11 +27,10 @@
.nf
\fBzonecfg\fR help
.fi
.SH DESCRIPTION
-.sp
.LP
The \fBzonecfg\fR utility creates and modifies the configuration of a zone.
Zone configuration consists of a number of resources and properties.
.sp
.LP
@@ -70,11 +69,10 @@
installed distribution in the global zone. Some brands do not support all of
the \fBzonecfg\fR properties and resources. See the brand-specific man page for
more details on each brand. For an overview of brands, see the \fBbrands\fR(5)
man page.
.SS "Resources"
-.sp
.LP
The following resource types are supported:
.sp
.ne 2
.na
@@ -163,12 +161,21 @@
.sp .6
.RS 4n
Resource control.
.RE
-.SS "Properties"
.sp
+.ne 2
+.na
+\fB\fBsecurity-flags\fR\fR
+.ad
+.sp .6
+.RS 4n
+Process security flag settings.
+.RE
+
+.SS "Properties"
.LP
Each resource type has one or more properties. There are also some global
properties, that is, properties of the configuration as a whole, rather than of
some particular resource.
.sp
@@ -423,10 +430,20 @@
.RS 4n
\fBncpus\fR
.RE
.sp
+.ne 2
+.na
+\fB\fBsecurity-flags\fB\fB
+.ad
+.sp .6
+.RS 4n
+\fBlower\fR, \fBdefault\fR, \fBupper\fR.
+.RE
+
+.sp
.LP
As for the property values which are paired with these names, they are either
simple, complex, or lists. The type allowed is property-specific. Simple values
are strings, optionally enclosed within quotation marks. Complex values have
the syntax:
@@ -863,10 +880,22 @@
.RE
.sp
.ne 2
.na
+\fB\fBsecurity-flags\fR: lower, default, upper\fR
+.ad
+.sp .6
+.RS 4n
+Set the process security flags associated with the zone. The \fBlower\fR and
+\fBupper\fR fields set the limits, the \fBdefault\fR field is set of flags all
+zone processes inherit.
+.RE
+
+.sp
+.ne 2
+.na
\fBglobal: \fBfs-allowed\fR\fR
.ad
.sp .6
.RS 4n
A comma-separated list of additional filesystems that may be mounted within
@@ -926,10 +955,13 @@
capped-memory physical simple with scale
swap simple with scale
locked simple with scale
capped-cpu ncpus simple
+security-flags lower simple
+ default simple
+ upper simple
.fi
.in -2
.sp
.sp
@@ -942,11 +974,10 @@
contain alphanumerics plus the hyphen (\fB-\fR), underscore (\fB_\fR), and dot
(\fB\&.\fR) characters. Attribute names beginning with "zone" are reserved for
use by the system. Finally, the "autoboot" global property must have a value of
"true" or "false".
.SS "Using Kernel Statistics to Monitor CPU Caps"
-.sp
.LP
Using the kernel statistics (\fBkstat\fR(3KSTAT)) module \fBcaps\fR, the system
maintains information for all capped projects and zones. You can access this
information by reading kernel statistics (\fBkstat\fR(3KSTAT)), specifying
\fBcaps\fR as the \fBkstat\fR module name. The following command displays
@@ -1095,11 +1126,10 @@
.sp
.LP
See \fBEXAMPLES\fR for sample output from a \fBkstat\fR command.
.SH OPTIONS
-.sp
.LP
The following options are supported:
.sp
.ne 2
.na
@@ -1124,11 +1154,10 @@
name \fBglobal\fR and all names beginning with \fBSUNW\fR are reserved and
cannot be used.
.RE
.SH SUBCOMMANDS
-.sp
.LP
You can use the \fBadd\fR and \fBselect\fR subcommands to select a specific
resource, at which point the scope changes to that resource. The \fBend\fR and
\fBcancel\fR subcommands are used to complete the resource specification, at
which time the scope is reverted back to global. Certain subcommands, such as
@@ -1801,11 +1830,10 @@
.fi
.in -2
.sp
.SH EXIT STATUS
-.sp
.LP
The following exit values are returned:
.sp
.ne 2
.na
@@ -1835,11 +1863,10 @@
.RS 4n
Invalid usage.
.RE
.SH ATTRIBUTES
-.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.sp
@@ -1851,22 +1878,20 @@
_
Interface Stability Volatile
.TE
.SH SEE ALSO
-.sp
.LP
\fBppriv\fR(1), \fBprctl\fR(1), \fBzlogin\fR(1), \fBkstat\fR(1M),
\fBmount\fR(1M), \fBpooladm\fR(1M), \fBpoolcfg\fR(1M), \fBpoold\fR(1M),
\fBrcapd\fR(1M), \fBrctladm\fR(1M), \fBsvcadm\fR(1M), \fBsysidtool\fR(1M),
\fBzfs\fR(1M), \fBzoneadm\fR(1M), \fBpriv_str_to_set\fR(3C),
\fBkstat\fR(3KSTAT), \fBvfstab\fR(4), \fBattributes\fR(5), \fBbrands\fR(5),
\fBfnmatch\fR(5), \fBlx\fR(5), \fBprivileges\fR(5), \fBresource_controls\fR(5),
-\fBzones\fR(5)
+\fBsecurity-flags\fR(5), \fBzones\fR(5)
.sp
.LP
\fISystem Administration Guide: Solaris Containers-Resource Management, and
Solaris Zones\fR
.SH NOTES
-.sp
.LP
All character data used by \fBzonecfg\fR must be in US-ASCII encoding.