Privileges in a Non-Global Zone
Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available from within a given zone, use the ppriv utility.
The following table lists all of the Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.
Table 26–1 Status of Privileges in Zones|
Privilege |
Status |
Notes |
|---|---|---|
|
cpc_cpu |
Optional |
Access to certain cpc(3CPC) counters |
|
dtrace_proc |
Optional |
fasttrap and pid providers; plockstat(1M) |
|
dtrace_user |
Optional |
profile and syscall providers |
|
graphics_access |
Optional |
ioctl(2) access to agpgart_io(7I) |
|
graphics_map |
Optional |
mmap(2) access to agpgart_io(7I) |
|
net_rawaccess |
Optional in shared-IP zones. Default in exclusive-IP zones. |
Raw PF_INET/PF_INET6 packet access |
|
proc_clock_highres |
Optional |
Use of high resolution timers |
|
proc_priocntl |
Optional |
Scheduling control; priocntl(1) |
|
sys_ipc_config |
Optional |
Raising IPC message queue buffer size |
|
sys_time |
Optional |
System time manipulation; xntp(1M) |
|
dtrace_kernel |
Prohibited |
Currently unsupported |
|
proc_zone |
Prohibited |
Currently unsupported |
|
sys_config |
Prohibited |
Currently unsupported |
|
sys_devices |
Prohibited |
Currently unsupported |
|
sys_linkdir |
Prohibited |
Currently unsupported |
|
sys_net_config |
Prohibited |
Currently unsupported |
|
sys_res_config |
Prohibited |
Currently unsupported |
|
sys_suser_compat |
Prohibited |
Currently unsupported |
|
proc_exec |
Required, Default |
Used to start init(1M) |
|
proc_fork |
Required, Default |
Used to start init(1M) |
|
sys_mount |
Required, Default |
Needed to mount required file systems |
|
sys_ip_config |
Required, Default in exclusive-IP zones Prohibited in shared-IP zones |
Required to boot zone and initialize IP networking in exclusive-IP zone |
|
contract_event |
Default |
Used by contract file system |
|
contract_observer |
Default |
Contract observation regardless of UID |
|
file_chown |
Default |
File ownership changes |
|
file_chown_self |
Default |
Owner/group changes for own files |
|
file_dac_execute |
Default |
Execute access regardless of mode/ACL |
|
file_dac_read |
Default |
Read access regardless of mode/ACL |
|
file_dac_search |
Default |
Search access regardless of mode/ACL |
|
file_dac_write |
Default |
Write access regardless of mode/ACL |
|
file_link_any |
Default |
Link access regardless of owner |
|
file_owner |
Default |
Other access regardless of owner |
|
file_setid |
Default |
Permission changes for setid, setgid, setuid files |
|
ipc_dac_read |
Default |
IPC read access regardless of mode |
|
ipc_dac_owner |
Default |
IPC write access regardless of mode |
|
ipc_owner |
Default |
IPC other access regardless of mode |
|
net_icmpaccess |
Default |
ICMP packet access: ping(1M) |
|
net_privaddr |
Default |
Binding to privileged ports |
|
proc_audit |
Default |
Generation of audit records |
|
proc_chroot |
Default |
Changing of root directory |
|
proc_info |
Default |
Process examination |
|
proc_lock_memory |
Default |
Locking memory; shmctl(2)and mlock(3C) If this privilege is assigned to a non-global zone by the system administrator, consider also setting the zone.max-locked-memory resource control to prevent the zone from locking all memory. |
|
proc_owner |
Default |
Process control regardless of owner |
|
proc_session |
Default |
Process control regardless of session |
|
proc_setid |
Default |
Setting of user/group IDs at will |
|
proc_taskid |
Default |
Assigning of task IDs to caller |
|
sys_acct |
Default |
Management of accounting |
|
sys_admin |
Default |
Simple system administration tasks |
|
sys_audit |
Default |
Management of auditing |
|
sys_nfs |
Default |
NFS client support |
|
sys_resource |
Default |
Resource limit manipulation |
The following table lists all of the Solaris Trusted Extensions privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.
Note –
Trusted Solaris privileges are interpreted only if the system is configured with Trusted Extensions.
Table 26–2 Status of Solaris Trusted Extensions Privileges in Zones
|
Solaris Trusted Extensions Privilege |
Status |
Notes |
|---|---|---|
|
file_downgrade_sl |
Optional |
Set the sensitivity label of file or directory to a sensitivity label that does not dominate the existing sensitivity label |
|
file_upgrade_sl |
Optional |
Set the sensitivity label of file or directory to a sensitivity label that dominates the existing sensitivity label |
|
sys_trans_label |
Optional |
Translate labels not dominated by sensitivity label |
|
win_colormap |
Optional |
Colormap restrictions override |
|
win_config |
Optional |
Configure or destroy resources that are permanently retained by the X server |
|
win_dac_read |
Optional |
Read from window resource not owned by client's user ID |
|
win_dac_write |
Optional |
Write to or create window resource not owned by client's user ID |
|
win_devices |
Optional |
Perform operations on input devices. |
|
win_dga |
Optional |
Use direct graphics access X protocol extensions; frame buffer privileges needed |
|
win_downgrade_sl |
Optional |
Change sensitivity label of window resource to new label dominated by existing label |
|
win_fontpath |
Optional |
Add an additional font path |
|
win_mac_read |
Optional |
Read from window resource with a label that dominates the client's label |
|
win_mac_write |
Optional |
Write to window resource with a label not equal to the client's label |
|
win_selection |
Optional |
Request data moves without confirmer intervention |
|
win_upgrade_sl |
Optional |
Change sensitivity label of window resource to a new label not dominated by existing label |
|
net_bindmlp |
Default |
Allows binding to a multilevel port (MLP) |
|
net_mac_aware |
Default |
Allows reading down through NFS |
To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone
To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.
- © 2010, Oracle Corporation and/or its affiliates