How to Protect Nonallocatable Devices in Trusted Extensions

The No Users option in the Allocatable By section of the Device Configuration dialog box is used most often for the frame buffer and printer, which do not have to be allocated to be used.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. From the Trusted Path menu, select Allocate Device.

2. In the Device Allocation Manager, click the Device Administration button.

3. Select the new printer or frame buffer.

   1. To make the device nonallocatable, click No Users.

   2. (Optional) Restrict the label range on the device.

      1. Set the minimum label.

         Click the Min Label... button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.

      2. Set the maximum label.

         Click the Max Label... button. Choose a maximum label from the label builder.

Example 17–1 Preventing Remote Allocation of the Audio Device

The No Users option in the Allocatable By section prevents remote users from hearing conversations around a remote system.

The security administrator configures the audio device in the Device Allocation Manager as follows:

Device Name: audio
For Allocations From: Trusted Path
Allocatable By: Authorized Users
Authorizations: solaris.device.allocate

Device Name: audio
For Allocations From: Non-Trusted Pathh
Allocatable By: No Users