Adding New Privileges

Adding a new privilege consists of adding an entry for the privilege into these two files:

• /usr/include/sys/tsol/priv_names.h

• /usr/lib/tsol/locale/C/priv_name

The priv_names.h File

The /usr/include/sys/tsol/priv_names.h header file contains manifest constants and associated numbers for privileges. Up to 128 possible privileges are allowed. As shown in the following screen example, the definitions for the default privileges range from 1 to 86 (with 0 meaning no privileges). Not all 86 privileges are defined since some have been retired.

The manifest constants and numbers for default privileges in priv_names.h are:

PRIV_FILE_AUDIT = 1,		/* operational */
PRIV_FILE_CHOWN = 2,		/* operational */
PRIV_FILE_DAC_EXECUTE = 3,	/* policy */
										.						
										.						
										.						
PRIV_WIN_SELECTION = 84,	/* operational */
PRIV_WIN_UPGRADE_SL = 86,	/* operational */
 

Privileges available for extension follow the /* Reserved for ISV..*/ text in the file:

/* Reserved for ISV, GOTS, integrator, ... use */
										.						
										.						
	reserved127 = 127,
	reserved128 = 128

If you wish to interoperate with other systems, you should contact your Trusted Solaris representative to reserve a privilege number.

The priv_name File

The following is the format for an entry in /usr/lib/tsol/locale/locale_name/priv_name:

number:name:description

The value of number in the priv_name(4) file must match the privilege ID in the /usr/include/sys/tsol/priv_names.h file. name must be concise and descriptive for display in user interfaces.

description describes the activity permitted by the privilege. The definition guides the Security Administrator role when assigning privileges to programs.

The following is an example of a privilege in the default priv_name file:

4:file_dac_read:Allows a process to read a file or directory \
whose permission bits or ACL do not allow the process read permission.