7029 want per-process exploit mitigation features (secflags)

7030 want basic address space layout randomization (ASLR)
7031 noexec_user_stack should be a security-flag
7032 want a means to forbid mappings around NULL
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
Reviewed by: Patrick Mooney <pmooney@joyent.com>
Approved by: Dan McDonald <danmcd@omniti.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/usr/src/uts/common/os/cred.c b/usr/src/uts/common/os/cred.c
index 733fd03a92..25727d54c5 100644
--- a/usr/src/uts/common/os/cred.c
+++ b/usr/src/uts/common/os/cred.c
@@ -215,6 +215,8 @@ cred_init(void)
 	priv_fillset(&CR_LPRIV(kcred));
 	CR_IPRIV(kcred) = *priv_basic;
 
+	priv_addset(&CR_IPRIV(kcred), PRIV_PROC_SECFLAGS);
+
 	/* Not a basic privilege, if chown is not restricted add it to I0 */
 	if (!rstchown)
 		priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
@@ -1255,7 +1257,7 @@ eph_gid_alloc(zone_t *zone, int flags, gid_t *start, int count)
 
 void
 get_ephemeral_data(zone_t *zone, uid_t *min_uid, uid_t *last_uid,
-	gid_t *min_gid, gid_t *last_gid)
+    gid_t *min_gid, gid_t *last_gid)
 {
 	ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);
 
@@ -1274,7 +1276,7 @@ get_ephemeral_data(zone_t *zone, uid_t *min_uid, uid_t *last_uid,
 
 void
 set_ephemeral_data(zone_t *zone, uid_t min_uid, uid_t last_uid,
-	gid_t min_gid, gid_t last_gid)
+    gid_t min_gid, gid_t last_gid)
 {
 	ephemeral_zsd_t *eph_zsd = get_ephemeral_zsd(zone);