[illumos-gate merge]

commit d2a70789f056fc6c9ce3ab047b52126d80b0e3da
    7029 want per-process exploit mitigation features (secflags)
    7030 want basic address space layout randomization (ASLR)
    7031 noexec_user_stack should be a security-flag
    7032 want a means to forbid mappings around NULL
commit 8ab1c3f559468e655c4eb8acce993320403dd72b
    7469 loader should use acpica provided by OS
commit a1964bdd47804c37e09db1a79c23937c9aeac165
    7470 acpi build sometimes doesn't descend into SUBDIRS
commit abf99a006172ea5aab2246bda23f9d6d935bf1ad
    7420 signalfd deadlock on pollwakeup
    7421 panic in signalfd

	Conflicts:
	usr/src/cmd/sgs/libconv/common/corenote.c
	usr/src/cmd/zonecfg/zonecfg.c
	usr/src/cmd/zonecfg/zonecfg.h
	usr/src/cmd/zonecfg/zonecfg_grammar.y
	usr/src/cmd/zonecfg/zonecfg_lex.l
	usr/src/head/libzonecfg.h
	usr/src/lib/libzonecfg/common/libzonecfg.c
	usr/src/man/man1m/zonecfg.1m
	usr/src/man/man4/proc.4
	usr/src/pkg/manifests/system-test-ostest.mf
	usr/src/test/os-tests/tests/Makefile
	usr/src/uts/common/exec/elf/elf.c
	usr/src/uts/common/io/signalfd.c
	usr/src/uts/common/os/sysent.c
	usr/src/uts/common/os/zone.c
	usr/src/uts/common/sys/proc.h
	usr/src/uts/common/sys/zone.h

3 files changed, 318 insertions, 10 deletions

diff --git a/usr/src/man/man1/Makefile b/usr/src/man/man1/Makefile
index 78cc21a2f3..25c5453c42 100644
--- a/usr/src/man/man1/Makefile
+++ b/usr/src/man/man1/Makefile
@@ -305,6 +305,7 @@ MANFILES=	acctcom.1			\
 	 	profiles.1			\
 	 	projects.1			\
 	 	ps.1				\
+		psecflags.1			\
 	 	ptree.1				\
 	 	pvs.1				\
 	 	pwd.1				\
diff --git a/usr/src/man/man1/ld.1 b/usr/src/man/man1/ld.1
index 7e5b133f38..1b0b0a5566 100644
--- a/usr/src/man/man1/ld.1
+++ b/usr/src/man/man1/ld.1
@@ -5,7 +5,7 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with
 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH LD 1 "Sep 10, 2013"
+.TH LD 1 "Jun 6, 2016"
 .SH NAME
 ld \- link-editor for object files
 .SH SYNOPSIS
@@ -20,7 +20,7 @@ ld \- link-editor for object files
 [\fB-Q\fR y | n] [\fB-R\fR \fIpath\fR] [\fB-s\fR] [\fB-S\fR \fIsupportlib\fR] [\fB-t\fR]
 [\fB-u\fR \fIsymname\fR] [\fB-V\fR] [\fB-Y P\fR\fI,dirlist\fR] [\fB-z\fR absexec]
 [\fB-z\fR allextract | defaultextract | weakextract ] [\fB-z\fR altexec64]
-[\fB-z\fR assert-deflib ] [ \fB-z\fR assert-deflib=\fIlibname\fR ]
+[\fB-z\fR aslr[=\fIstate\fR]] [\fB-z\fR assert-deflib] [ \fB-z\fR assert-deflib=\fIlibname\fR]
 [\fB-z\fR combreloc | nocombreloc ] [\fB-z\fR defs | nodefs]
 [\fB-z\fR direct | nodirect] [\fB-z\fR endfiltee]
 [\fB-z\fR fatal-warnings | nofatal-warnings ] [\fB-z\fR finiarray=\fIfunction\fR]
@@ -39,7 +39,6 @@ ld \- link-editor for object files
 .fi
 
 .SH DESCRIPTION
-.sp
 .LP
 The link-editor, \fBld\fR, combines relocatable object files by resolving
 symbol references to symbol definitions, together with performing relocations.
@@ -104,7 +103,6 @@ Similarly, only objects of a single machine type are allowed. See the
 \fB-32\fR, \fB-64\fR and \fB-z target\fR options, and the \fBLD_NOEXEC_64\fR
 environment variable.
 .SS "Static Executables"
-.sp
 .LP
 The creation of static executables has been discouraged for many releases. In
 fact, 64-bit system archive libraries have never been provided. Because a
@@ -140,7 +138,6 @@ executables is no longer achievable without specialized system knowledge.
 However, the capability of \fBld\fR to process static linking options, and the
 processing of archive libraries, remains unchanged.
 .SH OPTIONS
-.sp
 .LP
 The following options are supported.
 .sp
@@ -845,6 +842,23 @@ link-editor\fR in \fILinker and Libraries Guide\fR.
 .sp
 .ne 2
 .na
+\fB-z\fR \fBaslr[=\fIstate\fR]\fR
+.ad
+.sp .6
+.RS 4n
+Specify whether the executable's address space should be randomized on
+execution.  If \fIstate\fR is "enabled" randomization will always occur when
+this executable is run (regardless of inherited settings).  If \fIstate\fR is
+"disabled" randomization will never occur when this executable is run.  If
+\fIstate\fR is omitted, ASLR is enabled.
+
+An executable that should simply use the settings inherited from its
+environment should not use this flag at all.
+.RE
+
+.sp
+.ne 2
+.na
 \fB\fB-z\fR \fBcombreloc\fR | \fBnocombreloc\fR\fR
 .ad
 .sp .6
@@ -1629,7 +1643,6 @@ occurring.
 .RE
 
 .SH ENVIRONMENT VARIABLES
-.sp
 .ne 2
 .na
 \fB\fBLD_ALTEXEC\fR\fR
@@ -1758,7 +1771,6 @@ Notice that environment variable-names that begin with the
 characters '\fBLD_\fR' are reserved for possible future enhancements to \fBld\fR and
 \fBld.so.1\fR(1).
 .SH FILES
-.sp
 .ne 2
 .na
 \fB\fBlib\fIx\fR.so\fR\fR
@@ -1808,7 +1820,6 @@ defining memory layouts, aligning bss, and defining non-executable stacks.
 .RE
 
 .SH ATTRIBUTES
-.sp
 .LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
@@ -1824,7 +1835,6 @@ Interface Stability	Committed
 .TE
 
 .SH SEE ALSO
-.sp
 .LP
 \fBas\fR(1), \fBcrle\fR(1), \fBgprof\fR(1), \fBld.so.1\fR(1), \fBldd\fR(1),
 \fBmcs\fR(1), \fBpvs\fR(1), \fBexec\fR(2), \fBstat\fR(2), \fBdlopen\fR(3C),
@@ -1834,7 +1844,6 @@ Interface Stability	Committed
 .LP
 \fILinker and Libraries Guide\fR
 .SH NOTES
-.sp
 .LP
 Default options applied by \fBld\fR are maintained for historic reasons. In
 today's programming environment, where dynamic objects dominate, alternative
diff --git a/usr/src/man/man1/psecflags.1 b/usr/src/man/man1/psecflags.1
new file mode 100644
index 0000000000..19ca22755e
--- /dev/null
+++ b/usr/src/man/man1/psecflags.1
@@ -0,0 +1,298 @@
+'\" te
+.\" This file and its contents are supplied under the terms of the
+.\" Common Development and Distribution License ("CDDL"), version 1.0.
+.\" You may only use this file in accordance with the terms of version
+.\" 1.0 of the CDDL.
+.\"
+.\" A full copy of the text of the CDDL should have accompanied this
+.\" source.  A copy of the CDDL is also available via the Internet at
+.\" http://www.illumos.org/license/CDDL.
+.\"
+.\" Copyright 2015, Richard Lowe.
+.\"
+.TH "PSECFLAGS" "1" "June 6, 2016"
+.SH "NAME"
+\fBpsecflags\fR - inspect or modify process security flags
+.SH "SYNOPSIS"
+.LP
+.nf
+\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR \
+[\fIarg\fR]...
+.fi
+.LP
+.nf
+\fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR] \
+\fIid\fR ...
+.fi
+.LP
+.nf
+\fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
+.fi
+.LP
+.nf
+\fB/usr/bin/psecflags\fR \fI-l\fR
+.fi
+
+.SH "DESCRIPTION"
+The first invocation of the \fBpsecflags\fR command runs the specified
+\fIcommand\fR with the security-flags modified as described by the \fI-s\fR
+argument.
+.P
+The second invocation modifies the security-flags of the processes described
+by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
+.P
+The third invocation describes the security-flags of the specified processes
+or core files.  The effective set is signified by '\fBE\fR', the inheritable
+set by '\fBI\fR', the lower set by '\fBL\fR', and the upper set by '\fBU\fR'.
+.P
+The fourth invocation lists the supported process security-flags, documented
+in \fBsecurity-flags\fR(5).
+
+.SH "OPTIONS"
+The following options are supported:
+.sp
+.ne 2
+.na
+\fB-e\fR
+.ad
+.RS 11n
+Interpret the remaining arguments as a command line and run the command with
+the security-flags specified with the \fI-s\fR flag.
+.RE
+
+.sp
+.ne 2
+.na
+\fB-F\fR
+.ad
+.RS 11n
+Force. Grab the target process even if another process has control.
+.RE
+
+.sp
+.ne 2
+.na
+\fB-i\fR \fIidtype\fR
+.ad
+.RS 11n
+This option, together with the \fIid\fR arguments specify one or more
+processes whose security-flags will be modified. The interpretation of the
+\fIid\fR arguments is based on \fIidtype\fR. If \fIidtype\fR is omitted the
+default is \fBpid\fR.
+
+Valid \fIidtype\fR options are:
+.sp
+.ne 2
+.na
+\fBall\fR
+.ad
+.RS 11n
+The \fBpsecflags\fR command applies to all processes
+.RE
+
+.sp
+.ne 2
+.na
+\fBcontract\fR, \fBctid\fR
+.ad
+.RS 11n
+The security-flags of any process with a contract ID matching the \fIid\fR
+arguments are modified.
+.RE
+
+.sp
+.ne 2
+.na
+\fBgroup\fR, \fBgid\fR
+.ad
+.RS 11n
+The security-flags of any process with a group ID matching the \fIid\fR
+arguments are modified.
+.RE
+
+.sp
+.ne 2
+.na
+\fBpid\fR
+.ad
+.RS 11n
+The security-flags of any process with a process ID matching the \fIid\fR
+arguments are modified. This is the default.
+.RE
+
+.sp
+.ne 2
+.na
+\fBppid\fR
+.ad
+.RS 11n
+The security-flags of any processes whose parent process ID matches the
+\fIid\fR arguments are modified.
+.RE
+
+.sp
+.ne 2
+.na
+\fBproject\fR, \fBprojid\fR
+.ad
+.RS 11n
+The security-flags of any process whose project ID matches the \fIid\fR
+arguments are modified.
+.RE
+
+.sp
+.ne 2
+.na
+\fBsession\fR, \fBsid\fR
+.ad
+.RS 11n
+The security-flags of any process whose session ID matches the \fIid\fR
+arguments are modified.
+.RE
+
+.sp
+.ne 2
+.na
+\fBtaskid\fR
+.ad
+.RS 11n
+The security-flags of any process whose task ID matches the \fIid\fR arguments
+are modified.
+.RE
+
+.sp
+.ne 2
+.na
+\fBuser\fR, \fBuid\fR
+.ad
+.RS 11n
+The security-flags of any process belonging to the users matching the \fIid\fR
+arguments are modified.
+.RE
+
+.sp
+.ne 2
+.na
+\fBzone\fR, \fBzoneid\fR
+.ad
+.RS 11n
+The security-flags of any process running in the zones matching the given
+\fIid\fR arguments are modified.
+.RE
+.RE
+
+.sp
+.ne 2
+.na
+\fB-l\fR
+.ad
+.RS 11n
+List all supported process security-flags, described in
+\fBsecurity-flags\fR(5).
+.RE
+
+.sp
+.ne 2
+.na
+\fB-s\fR \fIspecification\fR
+.ad
+.RS 11n
+Modify the process security-flags according to
+\fIspecification\fR. Specifications take the form of a comma-separated list of
+flags, optionally preceded by a '-' or '!'. Where '-' and '!' indicate that the
+given flag should be removed from the specification.  The pseudo-flags "all",
+"none" and "current" are supported, to indicate that all flags, no flags, or
+the current set of flags (respectively) are to be included.
+.P
+By default, the inheritable flags are changed.  You may optionally specify the
+set to change using their single-letter identifiers and an equals sign.
+.P
+For a list of valid security-flags, see \fBpsecflags -l\fR.
+.RE
+
+.SH "EXAMPLES"
+.LP
+\fBExample 1\fR Display the security-flags of the current shell.
+.sp
+.in +2
+.nf
+example$ \fBpsecflags $$\fR
+100718:	-sh
+	E:	aslr
+	I:	aslr
+	L:	none
+	U:	aslr,forbidnullmap,noexecstack
+.fi
+.in -2
+.sp
+
+.LP
+\fBExample 2\fR Run a user command with ASLR enabled in addition to any
+inherited security flags.
+.sp
+.in +2
+.nf
+example$ \fBpsecflags -s current,aslr -e /bin/sh\fR
+$ psecflags $$
+100724:	-sh
+	E:	none
+	I:	aslr
+	L:	none
+	U:	aslr,forbidnullmap,noexecstack
+.fi
+.in -2
+.sp
+
+.LP
+\fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
+.sp
+.in +2
+.nf
+example# \fBpsecflags -s current,-aslr -i uid bob\fR
+.fi
+.in -2
+
+.LP
+\fBExample 4\fR Add the aslr flag to the lower set, so that all future
+child processes must have this flag set.
+.sp
+.in +2
+.nf
+example# \fBpsecflags -s L=current,aslr $$\fR
+.fi
+.in -2
+
+.SH "EXIT STATUS"
+The following exit values are returned:
+
+.TP
+\fB0\fR
+.IP
+Success.
+
+.TP
+\fBnon-zero\fR
+.IP
+An error has occurred.
+
+.SH "ATTRIBUTES"
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+box;
+c | c
+l | l .
+ATTRIBUTE TYPE	ATTRIBUTE VALUE
+_
+Interface Stability	Volatile
+.TE
+
+.SH "SEE ALSO"
+.BR exec (2),
+.BR attributes (5),
+.BR contract (4),
+.BR security-flags (5),
+.BR zones (5)