[illumos-gate merge]

commit d2a70789f056fc6c9ce3ab047b52126d80b0e3da
    7029 want per-process exploit mitigation features (secflags)
    7030 want basic address space layout randomization (ASLR)
    7031 noexec_user_stack should be a security-flag
    7032 want a means to forbid mappings around NULL
commit 8ab1c3f559468e655c4eb8acce993320403dd72b
    7469 loader should use acpica provided by OS
commit a1964bdd47804c37e09db1a79c23937c9aeac165
    7470 acpi build sometimes doesn't descend into SUBDIRS
commit abf99a006172ea5aab2246bda23f9d6d935bf1ad
    7420 signalfd deadlock on pollwakeup
    7421 panic in signalfd

	Conflicts:
	usr/src/cmd/sgs/libconv/common/corenote.c
	usr/src/cmd/zonecfg/zonecfg.c
	usr/src/cmd/zonecfg/zonecfg.h
	usr/src/cmd/zonecfg/zonecfg_grammar.y
	usr/src/cmd/zonecfg/zonecfg_lex.l
	usr/src/head/libzonecfg.h
	usr/src/lib/libzonecfg/common/libzonecfg.c
	usr/src/man/man1m/zonecfg.1m
	usr/src/man/man4/proc.4
	usr/src/pkg/manifests/system-test-ostest.mf
	usr/src/test/os-tests/tests/Makefile
	usr/src/uts/common/exec/elf/elf.c
	usr/src/uts/common/io/signalfd.c
	usr/src/uts/common/os/sysent.c
	usr/src/uts/common/os/zone.c
	usr/src/uts/common/sys/proc.h
	usr/src/uts/common/sys/zone.h

1 files changed, 95 insertions, 1 deletions

diff --git a/usr/src/cmd/zoneadmd/vplat.c b/usr/src/cmd/zoneadmd/vplat.c
index 238157f2f9..d65caeade1 100644
--- a/usr/src/cmd/zoneadmd/vplat.c
+++ b/usr/src/cmd/zoneadmd/vplat.c
@@ -77,6 +77,7 @@
 #include <sys/stropts.h>
 #include <sys/conf.h>
 #include <sys/systeminfo.h>
+#include <sys/secflags.h>
 
 #include <libdlpi.h>
 #include <libdllink.h>
@@ -4532,6 +4533,96 @@ setup_zone_hostid(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid)
 }
 
 static int
+setup_zone_secflags(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid)
+{
+	psecflags_t secflags;
+	struct zone_secflagstab tab = {0};
+	secflagdelta_t delt;
+	int res;
+
+	res = zonecfg_lookup_secflags(handle, &tab);
+
+	if ((res != Z_OK) &&
+	    /* The general defaulting code will handle this */
+	    (res != Z_NO_ENTRY) && (res != Z_BAD_PROPERTY)) {
+		zerror(zlogp, B_FALSE, "security-flags property is "
+		    "invalid: %d", res);
+		return (res);
+	}
+
+	if (strlen(tab.zone_secflags_lower) == 0)
+		(void) strlcpy(tab.zone_secflags_lower, "none",
+		    sizeof (tab.zone_secflags_lower));
+	if (strlen(tab.zone_secflags_default) == 0)
+		(void) strlcpy(tab.zone_secflags_default,
+		    tab.zone_secflags_lower,
+		    sizeof (tab.zone_secflags_default));
+	if (strlen(tab.zone_secflags_upper) == 0)
+		(void) strlcpy(tab.zone_secflags_upper, "all",
+		    sizeof (tab.zone_secflags_upper));
+
+	if (secflags_parse(NULL, tab.zone_secflags_default,
+	    &delt) == -1) {
+		zerror(zlogp, B_FALSE, "default security-flags: '%s'"
+		    "are invalid", tab.zone_secflags_default);
+		return (Z_BAD_PROPERTY);
+	} else if (delt.psd_ass_active != B_TRUE) {
+		zerror(zlogp, B_FALSE, "relative security-flags are not "
+		    "allowed in zone configuration (default "
+		    "security-flags: '%s')",
+		    tab.zone_secflags_default);
+		return (Z_BAD_PROPERTY);
+	} else {
+		secflags_copy(&secflags.psf_inherit, &delt.psd_assign);
+		secflags_copy(&secflags.psf_effective, &delt.psd_assign);
+	}
+
+	if (secflags_parse(NULL, tab.zone_secflags_lower,
+	    &delt) == -1) {
+		zerror(zlogp, B_FALSE, "lower security-flags: '%s'"
+		    "are invalid", tab.zone_secflags_lower);
+		return (Z_BAD_PROPERTY);
+	} else if (delt.psd_ass_active != B_TRUE) {
+		zerror(zlogp, B_FALSE, "relative security-flags are not "
+		    "allowed in zone configuration (lower "
+		    "security-flags: '%s')",
+		    tab.zone_secflags_lower);
+		return (Z_BAD_PROPERTY);
+	} else {
+		secflags_copy(&secflags.psf_lower, &delt.psd_assign);
+	}
+
+	if (secflags_parse(NULL, tab.zone_secflags_upper,
+	    &delt) == -1) {
+		zerror(zlogp, B_FALSE, "upper security-flags: '%s'"
+		    "are invalid", tab.zone_secflags_upper);
+		return (Z_BAD_PROPERTY);
+	} else if (delt.psd_ass_active != B_TRUE) {
+		zerror(zlogp, B_FALSE, "relative security-flags are not "
+		    "allowed in zone configuration (upper "
+		    "security-flags: '%s')",
+		    tab.zone_secflags_upper);
+		return (Z_BAD_PROPERTY);
+	} else {
+		secflags_copy(&secflags.psf_upper, &delt.psd_assign);
+	}
+
+	if (!psecflags_validate(&secflags)) {
+		zerror(zlogp, B_TRUE, "security-flags violate invariants");
+		return (Z_BAD_PROPERTY);
+	}
+
+	if ((res = zone_setattr(zoneid, ZONE_ATTR_SECFLAGS, &secflags,
+	    sizeof (secflags))) != 0) {
+		zerror(zlogp, B_TRUE,
+		    "security-flags couldn't be set: %d", res);
+		return (Z_SYSTEM);
+	}
+
+	return (Z_OK);
+}
+
+static int
 setup_zone_fs_allowed(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid)
 {
 	char fsallowed[ZONE_FS_ALLOWED_MAX];
@@ -4548,7 +4639,7 @@ setup_zone_fs_allowed(zone_dochandle_t handle, zlog_t *zlogp, zoneid_t zoneid)
 		report_prop_err(zlogp, "fs-allowed", fsallowed, res);
 		return (res);
 	} else if (fsallowed[0] == '-') {
-		/* dropping default privs - use remaining list */
+		/* dropping default filesystems - use remaining list */
 		if (fsallowed[1] != ',')
 			return (Z_OK);
 		fsallowedp += 2;
@@ -4583,6 +4674,9 @@ setup_zone_attrs(zlog_t *zlogp, zoneid_t zoneid)
 	if ((res = setup_zone_fs_allowed(snap_hndl, zlogp, zoneid)) != Z_OK)
 		goto out;
 
+	if ((res = setup_zone_secflags(handle, zlogp, zoneid)) != Z_OK)
+		goto out;
+
 out:
 	return (res);
 }