Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
*** 38,47 ****
--- 38,48 ----
#include <sys/cred.h>
#include <sys/netstack.h>
#include <sys/uadmin.h>
#include <sys/ksynch.h>
#include <sys/socket_impl.h>
+ #include <sys/secflags.h>
#include <netinet/in.h>
#ifdef __cplusplus
extern "C" {
#endif
*** 102,111 ****
--- 103,113 ----
#define ZONE_ATTR_FLAGS 14
#define ZONE_ATTR_HOSTID 15
#define ZONE_ATTR_FS_ALLOWED 16
#define ZONE_ATTR_NETWORK 17
#define ZONE_ATTR_INITNORESTART 20
+ #define ZONE_ATTR_SECFLAGS 21
/* Start of the brand-specific attribute namespace */
#define ZONE_ATTR_BRAND_ATTRS 32768
#define ZONE_FS_ALLOWED_MAX 1024
*** 576,585 ****
--- 578,589 ----
uint64_t zone_anonpgin; /* anon pages paged in */
uint64_t zone_execpgin; /* exec pages paged in */
uint64_t zone_fspgin; /* fs pages paged in */
uint64_t zone_anon_alloc_fail; /* cnt of anon alloc fails */
+ psecflags_t zone_secflags; /* default zone security-flags */
+
/*
* Misc. kstats and counters for zone cpu-usage aggregation.
* The zone_Xtime values are the sum of the micro-state accounting
* values for all threads that are running or have run in the zone.
* This is tracked in msacct.c as threads change state.