[illumos-gate merge]

commit d2a70789f056fc6c9ce3ab047b52126d80b0e3da
    7029 want per-process exploit mitigation features (secflags)
    7030 want basic address space layout randomization (ASLR)
    7031 noexec_user_stack should be a security-flag
    7032 want a means to forbid mappings around NULL
commit 8ab1c3f559468e655c4eb8acce993320403dd72b
    7469 loader should use acpica provided by OS
commit a1964bdd47804c37e09db1a79c23937c9aeac165
    7470 acpi build sometimes doesn't descend into SUBDIRS
commit abf99a006172ea5aab2246bda23f9d6d935bf1ad
    7420 signalfd deadlock on pollwakeup
    7421 panic in signalfd

	Conflicts:
	usr/src/cmd/sgs/libconv/common/corenote.c
	usr/src/cmd/zonecfg/zonecfg.c
	usr/src/cmd/zonecfg/zonecfg.h
	usr/src/cmd/zonecfg/zonecfg_grammar.y
	usr/src/cmd/zonecfg/zonecfg_lex.l
	usr/src/head/libzonecfg.h
	usr/src/lib/libzonecfg/common/libzonecfg.c
	usr/src/man/man1m/zonecfg.1m
	usr/src/man/man4/proc.4
	usr/src/pkg/manifests/system-test-ostest.mf
	usr/src/test/os-tests/tests/Makefile
	usr/src/uts/common/exec/elf/elf.c
	usr/src/uts/common/io/signalfd.c
	usr/src/uts/common/os/sysent.c
	usr/src/uts/common/os/zone.c
	usr/src/uts/common/sys/proc.h
	usr/src/uts/common/sys/zone.h

1 files changed, 114 insertions, 2 deletions

diff --git a/usr/src/lib/librestart/common/librestart.c b/usr/src/lib/librestart/common/librestart.c
index 671cdf99ea..cebaf54884 100644
--- a/usr/src/lib/librestart/common/librestart.c
+++ b/usr/src/lib/librestart/common/librestart.c
@@ -53,6 +53,7 @@
 #include <syslog.h>
 #include <sys/corectl.h>
 #include <sys/machelf.h>
+#include <sys/secflags.h>
 #include <sys/task.h>
 #include <sys/types.h>
 #include <time.h>
@@ -2843,7 +2844,7 @@ restarter_get_method_context(uint_t version, scf_instance_t *inst,
 	    (prop = scf_property_create(h)) == NULL ||
 	    (val = scf_value_create(h)) == NULL) {
 		err = mc_error_create(err, scf_error(),
-		    "Failed to create repository object: %s\n",
+		    "Failed to create repository object: %s",
 		    scf_strerror(scf_error()));
 		goto out;
 	}
@@ -2895,7 +2896,7 @@ restarter_get_method_context(uint_t version, scf_instance_t *inst,
 		goto out;
 	default:
 		err = mc_error_create(err, ret,
-		    "Get method environment failed : %s\n", scf_strerror(ret));
+		    "Get method environment failed: %s", scf_strerror(ret));
 		goto out;
 	}
 
@@ -3103,6 +3104,82 @@ restarter_get_method_context(uint_t version, scf_instance_t *inst,
 		}
 	}
 
+	/* get security flags */
+	if ((methpg != NULL && scf_pg_get_property(methpg,
+	    SCF_PROPERTY_SECFLAGS, prop) == SCF_SUCCESS) ||
+	    (instpg != NULL && scf_pg_get_property(instpg,
+	    SCF_PROPERTY_SECFLAGS, prop) == SCF_SUCCESS)) {
+		if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
+			ret = scf_error();
+			switch (ret) {
+			case SCF_ERROR_CONNECTION_BROKEN:
+				err = mc_error_create(err, ret, RCBROKEN);
+				break;
+
+			case SCF_ERROR_CONSTRAINT_VIOLATED:
+				err = mc_error_create(err, ret,
+				    "\"%s\" property has multiple values.",
+				    SCF_PROPERTY_SECFLAGS);
+				break;
+
+			case SCF_ERROR_NOT_FOUND:
+				err = mc_error_create(err, ret,
+				    "\"%s\" property has no values.",
+				    SCF_PROPERTY_SECFLAGS);
+				break;
+
+			default:
+				bad_fail("scf_property_get_value", ret);
+			}
+
+			(void) strlcpy(cip->vbuf, ":default", cip->vbuf_sz);
+		} else {
+			ret = scf_value_get_astring(val, cip->vbuf,
+			    cip->vbuf_sz);
+			assert(ret != -1);
+		}
+		mc_used++;
+	} else {
+		ret = scf_error();
+		switch (ret) {
+		case SCF_ERROR_NOT_FOUND:
+			/* okay if missing. */
+			(void) strlcpy(cip->vbuf, ":default", cip->vbuf_sz);
+			break;
+
+		case SCF_ERROR_CONNECTION_BROKEN:
+			err = mc_error_create(err, ret, RCBROKEN);
+			goto out;
+
+		case SCF_ERROR_DELETED:
+			err = mc_error_create(err, ret,
+			    "Property group could not be found");
+			goto out;
+
+		case SCF_ERROR_HANDLE_MISMATCH:
+		case SCF_ERROR_INVALID_ARGUMENT:
+		case SCF_ERROR_NOT_SET:
+		default:
+			bad_fail("scf_pg_get_property", ret);
+		}
+	}
+
+
+	if (scf_default_secflags(h, &cip->def_secflags) != 0) {
+		err = mc_error_create(err, EINVAL, "couldn't fetch "
+		    "default security-flags");
+		goto out;
+	}
+
+	if (strcmp(cip->vbuf, ":default") != 0) {
+		if (secflags_parse(NULL, cip->vbuf,
+		    &cip->secflag_delta) != 0) {
+			err = mc_error_create(err, EINVAL, "couldn't parse "
+			    "security flags: %s", cip->vbuf);
+			goto out;
+		}
+	}
+
 	/* get (optional) corefile pattern */
 	if ((methpg != NULL && scf_pg_get_property(methpg,
 	    SCF_PROPERTY_COREFILE_PATTERN, prop) == SCF_SUCCESS) ||
@@ -3343,6 +3420,12 @@ restarter_get_method_context(uint_t version, scf_instance_t *inst,
 		cip->gid = 0;
 		cip->euid = (uid_t)-1;
 		cip->egid = (gid_t)-1;
+
+		if (scf_default_secflags(h, &cip->def_secflags) != 0) {
+			err = mc_error_create(err, EINVAL, "couldn't fetch "
+			    "default security-flags");
+			goto out;
+		}
 	}
 
 	*mcpp = cip;
@@ -3510,6 +3593,35 @@ restarter_set_method_context(struct method_context *cip, const char **fp)
 		}
 	}
 
+
+	if (psecflags(P_PID, P_MYID, PSF_INHERIT,
+	    &cip->def_secflags.ss_default) != 0) {
+		*fp = "psecflags (default inherit)";
+		ret = errno;
+		goto out;
+	}
+
+	if (psecflags(P_PID, P_MYID, PSF_LOWER,
+	    &cip->def_secflags.ss_lower) != 0) {
+		*fp = "psecflags (default lower)";
+		ret = errno;
+		goto out;
+	}
+
+	if (psecflags(P_PID, P_MYID, PSF_UPPER,
+	    &cip->def_secflags.ss_upper) != 0) {
+		*fp = "psecflags (default upper)";
+		ret = errno;
+		goto out;
+	}
+
+	if (psecflags(P_PID, P_MYID, PSF_INHERIT,
+	    &cip->secflag_delta) != 0) {
+		*fp = "psecflags (from manifest)";
+		ret = errno;
+		goto out;
+	}
+
 	if (restarter_rm_libs_loadable()) {
 		if (cip->project == NULL) {
 			if (settaskid(getprojid(), TASK_NORMAL) == -1) {