want per-process exploit mitigation features (secflags)
A means to implement and control exploit-mitigation features is desirable on a per-process basis (as some of these features have negative impacts on legacy software).
There are 4 sets of flags per-process:
- Effective (E) - those flags currently in effect, immutable for the lifetime of an executable image
- Inheritable (I) - those flags which will come into effect the next time one of the exec() family of functions is successfully called
- Lower (L) - the lower bound for the effective/inheritable set. All flags in this set must be in those
- Upper (U) - the upper bound for the effective/inheritable set. No flag not in this must be in those
A new basic privilege, PRIV_PROC_SECFLAGS is introduced. A process with this privilege may change the security flags of any process to which it could send a signal.
Defaults for the security flag groups are specified as properties on svc:/system/process-security, which we introduce. The set of flags to use for the effective set of any other service may be set in its method context. A new zones resource is introduced to allow the configuration of all 4 sets for a given zone.