Before you add a privilege, contact your Trusted Solaris representative to reserve a privilege number.
Assume the Security Administrator role and go to an ADMIN_LOW
workspace.
Use the Admin Editor action to open the /usr/include/sys/tsol/priv_names.h file for editing.
See "To Edit a Local File", if needed.
Follow the directions in the comment at the top of the priv_names.h file, shown below.
/ * * ********************** IMPORTANT ********************** * * The privilege names should be maintained in alphabetical order * not numeric order. * * When a privilege is retired it should be placed in the appropriate * reserved area in the form "tsol_reserved## = ##," or * "reserved## = ##". * * When a new privilege is needed, it should be taken from the first * available privilege in the appropriate reserved area. * * ISVs, GOTS', integrators who need privileges are encouraged to * request and retire them by contacting their respective Trusted * Solaris support representative. * * This file is parsed by the priv_to_str(3) functions. * * In order to guarantee correct parsing, the format of the * following priv_t definition must be preserved. * * Specifically, the following guidelines must be followed: * * 1. All privileges must have an explicitly assigned id. * DO NOT RELY ON COMPILER TO ASSIGN IDs. * * 2. One privilege id assignment per line. * DO NOT CONCATENATE OR BREAK LINES. * * 3. Do not use the `=' character at anywhere other than * the privilege id assignment. * For example, DO NOT use `=' in the comments. |
Create an entry in the priv_names.h file with the manifest constant for the privilege.
A sample entry is below.
PRIV_RISKY = 90, |
Save and close the file.
Use the Admin Editor action to open the /usr/lib/tsol/locale/locale_name/priv_name file for editing.
In the C locale, for example, you would edit the /usr/lib/tsol/locale/C/priv_name file.
Create an entry with the privilege ID, name, and definition for the privilege in the priv_name file.
Make sure that you use the correct privilege ID.
A sample entry is below.
90:override everything:Allows a process to bypass all MAC and \ DAC checks and auditing flag settings and be otherwise totally \ unaccountable. |
Save and close the file.
Copy the changed priv_names.h and priv_name files or make the same change in these files on all computers in the Trusted Solaris network.