Trusted Solaris Administrator's Procedures

Extending Authorizations and Privileges

The following Trusted Solaris security mechanisms are extendable:

Audit events and classes--Adding audit events and audit classes is described in the Trusted Solaris Audit Administration.
Rights profiles--Adding rights profiles is described in "Adding or Modifying a Rights Profile".
Roles--Adding roles is described in "Creating a New Role".
Authorizations and privileges--The rest of this section describes how to add authorizations and privileges.

Adding New Authorizations

Adding a new authorization consists of:

Adding a header entry for the site's authorizations into the auth_attr(4) database.
Adding a grant authorization into the auth_attr database that enables a role to assign the new authorization to others.
Adding the new authorization entry to the auth_attr database.
If you are running a name service, adding the new entries to the name service auth_attr database.
Writing or modifying an application to check for the new authorization.

In a default Trusted Solaris system, only the device allocation mechanism accepts new authorizations. Of course, a site can write other applications that check for new authorizations.

The example detailed in "To Add an Authorization to the Environment" makes use of the fact that the device allocation authorization is configurable.
Assigning the new authorization to user or role accounts.

The format for an entry in the auth_attr(4) file is:

name:res1:res2:short_desc:long_desc:attr

The short_desc field is a brief description of the activity permitted by the authorization. The long_desc is used by the Solaris Management Console when it displays authorizations. A help file, which is specified in the attr field using the keyword value pair help=filename, displays in the online help. filename must be located in the directory ending with the name of the locale: /usr/lib/help/auths/locale/localename.

The following screen shows the default device allocation authorization in the auth_attr file in the C locale. The help file in the C locale is /usr/lib/help/auths/locale/C/DevAllocate.html.

solaris.device.allocate:::Allocate Device::help=DevAllocate.html

The example below shows two finer-grained device allocation authorizations that could be used to replace the default one above, one for tape devices and one for floppy devices. In the example, the authorizations' names start with the Internet domain name of the NewCo company.

com.newco.device.allocate.tape:::Allocate Tape Device::help=TapeAllocate.html
com.newco.device.allocate.floppy:::Allocate Floppy Device::help=FloppyAllocate.html

The next example shows the solaris.allocate.device authorization replaced in the device_allocate(4) file entry for floppy_0 with com.newco.device.allocate.floppy. This change would be made by the Security Administrator role using the Device Allocation Manager, as described in "To Add an Authorization to the Environment". After this substitution, any user attempting to allocate the floppy device must have the new authorization.

floppy_0;fd;0x00000000000000000000000000000000000000000000000000000000000000000
000;0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;com.
newco.device.allocate.floppy;/etc/security/lib/disk_clean

Adding New Privileges

Adding a new privilege consists of adding an entry for the privilege into these two files:

/usr/include/sys/tsol/priv_names.h
/usr/lib/tsol/locale/C/priv_name

The priv_names.h File

The /usr/include/sys/tsol/priv_names.h header file contains manifest constants and associated numbers for privileges. Up to 128 possible privileges are allowed. As shown in the following screen example, the definitions for the default privileges range from 1 to 86 (with 0 meaning no privileges). Not all 86 privileges are defined since some have been retired.

The manifest constants and numbers for default privileges in priv_names.h are:

PRIV_FILE_AUDIT = 1,		/* operational */
PRIV_FILE_CHOWN = 2,		/* operational */
PRIV_FILE_DAC_EXECUTE = 3,	/* policy */
										.						
										.						
										.						
PRIV_WIN_SELECTION = 84,	/* operational */
PRIV_WIN_UPGRADE_SL = 86,	/* operational */

Privileges available for extension follow the /* Reserved for ISV..*/ text in the file:

/* Reserved for ISV, GOTS, integrator, ... use */
										.						
										.						
	reserved127 = 127,
	reserved128 = 128

Note -

If you wish to interoperate with other systems, you should contact your Trusted Solaris representative to reserve a privilege number.

The priv_name File

The following is the format for an entry in /usr/lib/tsol/locale/locale_name/priv_name:

number:name:description

The value of number in the priv_name(4) file must match the privilege ID in the /usr/include/sys/tsol/priv_names.h file. name must be concise and descriptive for display in user interfaces.

description describes the activity permitted by the privilege. The definition guides the Security Administrator role when assigning privileges to programs.

The following is an example of a privilege in the default priv_name file:

4:file_dac_read:Allows a process to read a file or directory \
whose permission bits or ACL do not allow the process read permission.