Project

General

Profile

Actions

Feature #7029

closed

want per-process exploit mitigation features (secflags)

Added by Rich Lowe over 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
kernel
Start date:
2016-06-02
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:

Description

A means to implement and control exploit-mitigation features is desirable on a per-process basis (as some of these features have negative impacts on legacy software).

There are 4 sets of flags per-process:

- Effective (E) - those flags currently in effect, immutable for the lifetime of an executable image
- Inheritable (I) - those flags which will come into effect the next time one of the exec() family of functions is successfully called
- Lower (L) - the lower bound for the effective/inheritable set. All flags in this set must be in those
- Upper (U) - the upper bound for the effective/inheritable set. No flag not in this must be in those

A new basic privilege, PRIV_PROC_SECFLAGS is introduced. A process with this privilege may change the security flags of any process to which it could send a signal.

Defaults for the security flag groups are specified as properties on svc:/system/process-security, which we introduce. The set of flags to use for the effective set of any other service may be set in its method context. A new zones resource is introduced to allow the configuration of all 4 sets for a given zone.


Related issues

Related to illumos gate - Feature #7030: want basic address space layout randomization (ASLR)ClosedRich Lowe2016-06-02

Actions
Related to illumos gate - Feature #7031: noexec_user_stack should be a security-flagClosedRich Lowe2016-06-02

Actions
Related to illumos gate - Feature #7032: want a means to forbid mappings around NULLClosedRich Lowe2016-06-02

Actions
Actions

Also available in: Atom PDF