Project

General

Profile

Actions

Feature #14020

closed

Allow brands to set default security-flags

Added by Andy Fiddaman 10 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Low
Assignee:
Category:
zones
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

It is possible to define security flags on a per zone basis via zonecfg(1m). It would be useful to be able to define a default set of security flags in the brand definition so that all zones of that type would inherit them by default.

Actions #1

Updated by Andy Fiddaman 10 months ago

  • Gerrit CR set to 1657
Actions #2

Updated by Andy Fiddaman 7 months ago

I've tested this change in an onu environment.

With secflags set neither in the brand nor zone config, the init process has no security flags set:

bloody# psecflags `pgrep -n -z pkgsrc init`
1354:   /sbin/init
        E:      none
        I:      none
        L:      none
        U:      aslr,forbidnullmap,noexecstack

The pre-existing zone flags still work as expected (tested default, lower and upper combinations)

bloody# zonecfg -z pkgsrc 'add security-flags; set default=aslr; end'
bloody# zoneadm -z pkgsrc boot
bloody# psecflags `pgrep -n -z pkgsrc init`
2233:   /sbin/init
        E:      aslr
        I:      aslr
        L:      none
        U:      aslr,forbidnullmap,noexecstack

With some default security flags added to the brand config, the ones defined in the zone override:

bloody# grep security-fl /usr/lib/brand/pkgsrc/config.xml
        <security-flags>aslr,forbidnullmap,noexecstack</security-flags>

bloody# psecflags `pgrep -n -z pkgsrc init`
3156:   /sbin/init
        E:      aslr
        I:      aslr
        L:      none
        U:      aslr,forbidnullmap,noexecstack

and removing the zone-specific ones allows the brand ones to take effect:

bloody# psecflags `pgrep -n -z pkgsrc init`
4025:   /sbin/init
        E:      aslr,forbidnullmap,noexecstack
        I:      aslr,forbidnullmap,noexecstack
        L:      none
        U:      aslr,forbidnullmap,noexecstack
Actions #3

Updated by Electric Monk 7 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 5d08dfa0e47b41649eb5cfa0e8350f9e71383292

commit  5d08dfa0e47b41649eb5cfa0e8350f9e71383292
Author: Andy Fiddaman <omnios@citrus-it.co.uk>
Date:   2021-10-26T21:16:40.000Z

    14020 Allow brands to set default security-flags
    Reviewed by: Robert Mustacchi <rm+illumos@fingolfin.org>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Approved by: Dan McDonald <danmcd@joyent.com>

Actions

Also available in: Atom PDF