Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.


  23  * Copyright 2015 Joyent, Inc. All rights reserved.
  24  * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
  25  * Copyright 2014 Igor Kozhukhov <ikozhukhov@gmail.com>.
  26  */
  27 
  28 #ifndef _SYS_ZONE_H
  29 #define _SYS_ZONE_H
  30 
  31 #include <sys/types.h>
  32 #include <sys/mutex.h>
  33 #include <sys/param.h>
  34 #include <sys/rctl.h>
  35 #include <sys/ipc_rctl.h>
  36 #include <sys/pset.h>
  37 #include <sys/tsol/label.h>
  38 #include <sys/cred.h>
  39 #include <sys/netstack.h>
  40 #include <sys/uadmin.h>
  41 #include <sys/ksynch.h>
  42 #include <sys/socket_impl.h>

  43 #include <netinet/in.h>
  44 
  45 #ifdef  __cplusplus
  46 extern "C" {
  47 #endif
  48 
  49 /*
  50  * NOTE
  51  *
  52  * The contents of this file are private to the implementation of
  53  * Solaris and are subject to change at any time without notice.
  54  * Applications and drivers using these interfaces may fail to
  55  * run on future releases.
  56  */
  57 
  58 /* Available both in kernel and for user space */
  59 
  60 /* zone id restrictions and special ids */
  61 #define MAX_ZONEID      9999
  62 #define MIN_USERZONEID  1       /* lowest user-creatable zone ID */


  87 
  88 /* zone attributes */
  89 #define ZONE_ATTR_ROOT          1
  90 #define ZONE_ATTR_NAME          2
  91 #define ZONE_ATTR_STATUS        3
  92 #define ZONE_ATTR_PRIVSET       4
  93 #define ZONE_ATTR_UNIQID        5
  94 #define ZONE_ATTR_POOLID        6
  95 #define ZONE_ATTR_INITPID       7
  96 #define ZONE_ATTR_SLBL          8
  97 #define ZONE_ATTR_INITNAME      9
  98 #define ZONE_ATTR_BOOTARGS      10
  99 #define ZONE_ATTR_BRAND         11
 100 #define ZONE_ATTR_PHYS_MCAP     12
 101 #define ZONE_ATTR_SCHED_CLASS   13
 102 #define ZONE_ATTR_FLAGS         14
 103 #define ZONE_ATTR_HOSTID        15
 104 #define ZONE_ATTR_FS_ALLOWED    16
 105 #define ZONE_ATTR_NETWORK       17
 106 #define ZONE_ATTR_INITNORESTART 20

 107 
 108 /* Start of the brand-specific attribute namespace */
 109 #define ZONE_ATTR_BRAND_ATTRS   32768
 110 
 111 #define ZONE_FS_ALLOWED_MAX     1024
 112 
 113 #define ZONE_EVENT_CHANNEL      "com.sun:zones:status"
 114 #define ZONE_EVENT_STATUS_CLASS "status"
 115 #define ZONE_EVENT_STATUS_SUBCLASS      "change"
 116 
 117 #define ZONE_EVENT_UNINITIALIZED        "uninitialized"
 118 #define ZONE_EVENT_INITIALIZED          "initialized"
 119 #define ZONE_EVENT_READY                "ready"
 120 #define ZONE_EVENT_RUNNING              "running"
 121 #define ZONE_EVENT_SHUTTING_DOWN        "shutting_down"
 122 
 123 #define ZONE_CB_NAME            "zonename"
 124 #define ZONE_CB_NEWSTATE        "newstate"
 125 #define ZONE_CB_OLDSTATE        "oldstate"
 126 #define ZONE_CB_TIMESTAMP       "when"


 561         struct mntelem  *zone_mntfs_db;
 562         krwlock_t       zone_mntfs_db_lock;
 563 
 564         struct klpd_reg         *zone_pfexecd;
 565 
 566         char            *zone_fs_allowed;
 567         rctl_qty_t      zone_nprocs;    /* number of processes in the zone */
 568         rctl_qty_t      zone_nprocs_ctl;        /* current limit protected by */
 569                                                 /* zone_rctls->rcs_lock */
 570         kstat_t         *zone_nprocs_kstat;
 571 
 572         kmutex_t        zone_mcap_lock; /* protects mcap statistics */
 573         kstat_t         *zone_mcap_ksp;
 574         zone_mcap_kstat_t *zone_mcap_stats;
 575         uint64_t        zone_pgpgin;            /* pages paged in */
 576         uint64_t        zone_anonpgin;          /* anon pages paged in */
 577         uint64_t        zone_execpgin;          /* exec pages paged in */
 578         uint64_t        zone_fspgin;            /* fs pages paged in */
 579         uint64_t        zone_anon_alloc_fail;   /* cnt of anon alloc fails */
 580 


 581         /*
 582          * Misc. kstats and counters for zone cpu-usage aggregation.
 583          * The zone_Xtime values are the sum of the micro-state accounting
 584          * values for all threads that are running or have run in the zone.
 585          * This is tracked in msacct.c as threads change state.
 586          * The zone_stime is the sum of the LMS_SYSTEM times.
 587          * The zone_utime is the sum of the LMS_USER times.
 588          * The zone_wtime is the sum of the LMS_WAIT_CPU times.
 589          * As with per-thread micro-state accounting values, these values are
 590          * not scaled to nanosecs.  The scaling is done by the
 591          * zone_misc_kstat_update function when kstats are requested.
 592          */
 593         kmutex_t        zone_misc_lock;         /* protects misc statistics */
 594         kstat_t         *zone_misc_ksp;
 595         zone_misc_kstat_t *zone_misc_stats;
 596         uint64_t        zone_stime;             /* total system time */
 597         uint64_t        zone_utime;             /* total user time */
 598         uint64_t        zone_wtime;             /* total time waiting in runq */
 599         /* fork-fail kstat tracking */
 600         uint32_t        zone_ffcap;             /* hit an rctl cap */




  23  * Copyright 2015 Joyent, Inc. All rights reserved.
  24  * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
  25  * Copyright 2014 Igor Kozhukhov <ikozhukhov@gmail.com>.
  26  */
  27 
  28 #ifndef _SYS_ZONE_H
  29 #define _SYS_ZONE_H
  30 
  31 #include <sys/types.h>
  32 #include <sys/mutex.h>
  33 #include <sys/param.h>
  34 #include <sys/rctl.h>
  35 #include <sys/ipc_rctl.h>
  36 #include <sys/pset.h>
  37 #include <sys/tsol/label.h>
  38 #include <sys/cred.h>
  39 #include <sys/netstack.h>
  40 #include <sys/uadmin.h>
  41 #include <sys/ksynch.h>
  42 #include <sys/socket_impl.h>
  43 #include <sys/secflags.h>
  44 #include <netinet/in.h>
  45 
  46 #ifdef  __cplusplus
  47 extern "C" {
  48 #endif
  49 
  50 /*
  51  * NOTE
  52  *
  53  * The contents of this file are private to the implementation of
  54  * Solaris and are subject to change at any time without notice.
  55  * Applications and drivers using these interfaces may fail to
  56  * run on future releases.
  57  */
  58 
  59 /* Available both in kernel and for user space */
  60 
  61 /* zone id restrictions and special ids */
  62 #define MAX_ZONEID      9999
  63 #define MIN_USERZONEID  1       /* lowest user-creatable zone ID */


  88 
  89 /* zone attributes */
  90 #define ZONE_ATTR_ROOT          1
  91 #define ZONE_ATTR_NAME          2
  92 #define ZONE_ATTR_STATUS        3
  93 #define ZONE_ATTR_PRIVSET       4
  94 #define ZONE_ATTR_UNIQID        5
  95 #define ZONE_ATTR_POOLID        6
  96 #define ZONE_ATTR_INITPID       7
  97 #define ZONE_ATTR_SLBL          8
  98 #define ZONE_ATTR_INITNAME      9
  99 #define ZONE_ATTR_BOOTARGS      10
 100 #define ZONE_ATTR_BRAND         11
 101 #define ZONE_ATTR_PHYS_MCAP     12
 102 #define ZONE_ATTR_SCHED_CLASS   13
 103 #define ZONE_ATTR_FLAGS         14
 104 #define ZONE_ATTR_HOSTID        15
 105 #define ZONE_ATTR_FS_ALLOWED    16
 106 #define ZONE_ATTR_NETWORK       17
 107 #define ZONE_ATTR_INITNORESTART 20
 108 #define ZONE_ATTR_SECFLAGS      21
 109 
 110 /* Start of the brand-specific attribute namespace */
 111 #define ZONE_ATTR_BRAND_ATTRS   32768
 112 
 113 #define ZONE_FS_ALLOWED_MAX     1024
 114 
 115 #define ZONE_EVENT_CHANNEL      "com.sun:zones:status"
 116 #define ZONE_EVENT_STATUS_CLASS "status"
 117 #define ZONE_EVENT_STATUS_SUBCLASS      "change"
 118 
 119 #define ZONE_EVENT_UNINITIALIZED        "uninitialized"
 120 #define ZONE_EVENT_INITIALIZED          "initialized"
 121 #define ZONE_EVENT_READY                "ready"
 122 #define ZONE_EVENT_RUNNING              "running"
 123 #define ZONE_EVENT_SHUTTING_DOWN        "shutting_down"
 124 
 125 #define ZONE_CB_NAME            "zonename"
 126 #define ZONE_CB_NEWSTATE        "newstate"
 127 #define ZONE_CB_OLDSTATE        "oldstate"
 128 #define ZONE_CB_TIMESTAMP       "when"


 563         struct mntelem  *zone_mntfs_db;
 564         krwlock_t       zone_mntfs_db_lock;
 565 
 566         struct klpd_reg         *zone_pfexecd;
 567 
 568         char            *zone_fs_allowed;
 569         rctl_qty_t      zone_nprocs;    /* number of processes in the zone */
 570         rctl_qty_t      zone_nprocs_ctl;        /* current limit protected by */
 571                                                 /* zone_rctls->rcs_lock */
 572         kstat_t         *zone_nprocs_kstat;
 573 
 574         kmutex_t        zone_mcap_lock; /* protects mcap statistics */
 575         kstat_t         *zone_mcap_ksp;
 576         zone_mcap_kstat_t *zone_mcap_stats;
 577         uint64_t        zone_pgpgin;            /* pages paged in */
 578         uint64_t        zone_anonpgin;          /* anon pages paged in */
 579         uint64_t        zone_execpgin;          /* exec pages paged in */
 580         uint64_t        zone_fspgin;            /* fs pages paged in */
 581         uint64_t        zone_anon_alloc_fail;   /* cnt of anon alloc fails */
 582 
 583         psecflags_t     zone_secflags; /* default zone security-flags */
 584 
 585         /*
 586          * Misc. kstats and counters for zone cpu-usage aggregation.
 587          * The zone_Xtime values are the sum of the micro-state accounting
 588          * values for all threads that are running or have run in the zone.
 589          * This is tracked in msacct.c as threads change state.
 590          * The zone_stime is the sum of the LMS_SYSTEM times.
 591          * The zone_utime is the sum of the LMS_USER times.
 592          * The zone_wtime is the sum of the LMS_WAIT_CPU times.
 593          * As with per-thread micro-state accounting values, these values are
 594          * not scaled to nanosecs.  The scaling is done by the
 595          * zone_misc_kstat_update function when kstats are requested.
 596          */
 597         kmutex_t        zone_misc_lock;         /* protects misc statistics */
 598         kstat_t         *zone_misc_ksp;
 599         zone_misc_kstat_t *zone_misc_stats;
 600         uint64_t        zone_stime;             /* total system time */
 601         uint64_t        zone_utime;             /* total user time */
 602         uint64_t        zone_wtime;             /* total time waiting in runq */
 603         /* fork-fail kstat tracking */
 604         uint32_t        zone_ffcap;             /* hit an rctl cap */