Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
*** 725,735 ****
* QUESTION:
*/
void
audit_closef(struct file *fp)
! { /* AUDIT_CLOSEF */
f_audit_data_t *fad;
t_audit_data_t *tad;
int success;
au_state_t estate;
struct vnode *vp;
--- 725,735 ----
* QUESTION:
*/
void
audit_closef(struct file *fp)
! {
f_audit_data_t *fad;
t_audit_data_t *tad;
int success;
au_state_t estate;
struct vnode *vp;
*** 1596,1609 ****
}
/*ARGSUSED*/
void
! audit_fdsend(fd, fp, error)
! int fd;
! struct file *fp;
! int error; /* ignore for now */
{
t_audit_data_t *tad; /* current thread */
f_audit_data_t *fad; /* per file audit structure */
struct vnode *vp; /* for file attributes */
--- 1596,1606 ----
}
/*ARGSUSED*/
void
! audit_fdsend(int fd, struct file *fp, int error)
{
t_audit_data_t *tad; /* current thread */
f_audit_data_t *fad; /* per file audit structure */
struct vnode *vp; /* for file attributes */
*** 1671,1680 ****
--- 1668,1742 ----
priv_addset(target, priv);
}
}
/*
+ * Audit the psecflags() system call; the set name, current value, and delta
+ * are put in the audit trail.
+ */
+ void
+ audit_psecflags(proc_t *p,
+ psecflagwhich_t which,
+ const secflagdelta_t *psd)
+ {
+ t_audit_data_t *tad;
+ secflagset_t new;
+ const secflagset_t *old;
+ const char *s;
+ cred_t *cr;
+ pid_t pid;
+ const auditinfo_addr_t *ainfo;
+ const psecflags_t *psec = &p->p_secflags;
+
+ tad = U2A(u);
+
+ if (tad->tad_flag == 0)
+ return;
+
+ switch (which) {
+ case PSF_EFFECTIVE:
+ s = "effective";
+ old = &psec->psf_effective;
+ break;
+ case PSF_INHERIT:
+ s = "inherit";
+ old = &psec->psf_inherit;
+ break;
+ case PSF_LOWER:
+ s = "lower";
+ old = &psec->psf_lower;
+ break;
+ case PSF_UPPER:
+ s = "upper";
+ old = &psec->psf_upper;
+ break;
+ }
+
+ secflags_copy(&new, old);
+ secflags_apply_delta(&new, psd);
+
+ au_uwrite(au_to_secflags(s, *old));
+ au_uwrite(au_to_secflags(s, new));
+
+ ASSERT(mutex_owned(&p->p_lock));
+ mutex_enter(&p->p_crlock);
+
+ pid = p->p_pid;
+ crhold(cr = p->p_cred);
+ mutex_exit(&p->p_crlock);
+
+ if ((ainfo = crgetauinfo(cr)) == NULL) {
+ crfree(cr);
+ return;
+ }
+
+ AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
+
+ crfree(cr);
+ }
+
+ /*
* Audit the setpriv() system call; the operation, the set name and
* the current value as well as the set argument are put in the
* audit trail.
*/
void
*** 1747,1759 ****
}
}
/*ARGSUSED*/
void
! audit_fdrecv(fd, fp)
! int fd;
! struct file *fp;
{
t_audit_data_t *tad; /* current thread */
f_audit_data_t *fad; /* per file audit structure */
struct vnode *vp; /* for file attributes */
--- 1809,1819 ----
}
}
/*ARGSUSED*/
void
! audit_fdrecv(int fd, struct file *fp)
{
t_audit_data_t *tad; /* current thread */
f_audit_data_t *fad; /* per file audit structure */
struct vnode *vp; /* for file attributes */