Privileges in a Non-Global Zone

Language:

Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available from within a given zone, use the ppriv utility.

The following table lists all of the Oracle Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.

Table 10-1 Status of Privileges in Zones

Privilege	Status	Notes
`cpc_cpu`	Optional	Access to certain `cpc`(3CPC) counters
`dtrace_proc`	Optional	`fasttrap` and `pid` providers; `plockstat`(1M)
`dtrace_user`	Optional	`profile` and `syscall` providers
`file_flag_set`	Optional	Allows a process to set immutable, nounlink or appendonly file attributes; can be used to mark files immutable in the global zone and the non-global zone cannot remove the files
`graphics_access`	Optional	`ioctl`(2) access to `agpgart_io`(7I)
`graphics_map`	Optional	`mmap`(2) access to `agpgart_io`(7I)
`net_rawaccess`	Optional in shared-IP zones. Default in exclusive-IP zones.	Raw `PF_INET/PF_INET6` packet access
`proc_clock_highres`	Optional	Use of high resolution timers
`proc_priocntl`	Optional	Scheduling control; `priocntl`(1)
`sys_ipc_config`	Optional	Increase IPC message queue buffer size
`sys_time`	Optional	System time manipulation; `xntp`(1M)
`dtrace_kernel`	Prohibited	Currently unsupported
`proc_zone`	Prohibited	Currently unsupported
`sys_config`	Prohibited	Currently unsupported
`sys_devices`	Prohibited	Currently unsupported
`sys_dl_config`	Prohibited	Currently unsupported
`sys_linkdir`	Prohibited	Currently unsupported
`sys_net_config`	Prohibited	Currently unsupported
`sys_res_config`	Prohibited	Currently unsupported
`sys_smb`	Prohibited	Currently unsupported
`sys_suser_compat`	Prohibited	Currently unsupported
`file_read`	Required, Default	Allows a process to read a file or directory whose permission or ACL allow the process read permission
`file_write`	Required, Default	Allows a process to write a file or directory whose permission or ACL allow the process write permission
`net_access`	Required, Default	Allows a process to open a TCP, UDP, SDP or SCTP network endpoint
`proc_exec`	Required, Default	Used to start `init`(1M)
`proc_fork`	Required, Default	Used to start `init`(1M)
`sys_mount`	Required, Default	Needed to mount required file systems
`sys_flow_config`	Required, Default in exclusive-IP zones Prohibited in shared-IP zones	Needed to configure flows
`sys_ip_config`	Required, Default in exclusive-IP zones Prohibited in shared-IP zones	Required to boot zone and initialize IP networking in exclusive-IP zone
`sys_iptun_config`	Required, Default in exclusive-IP zones Prohibited in shared-IP zones	Configure IP tunnel links
`contract_event`	Default	Used by contract file system
`contract_identity`	Default	Set service FMRI value of a process contract template
`contract_observer`	Default	Contract observation regardless of UID
`file_chown`	Default	File ownership changes
`file_chown_self`	Default	Owner/group changes for own files
`file_dac_execute`	Default	Execute access regardless of mode/ACL
`file_dac_read`	Default	Read access regardless of mode/ACL
`file_dac_search`	Default	Search access regardless of mode/ACL
`file_dac_write`	Default	Write access regardless of mode/ACL
`file_link_any`	Default	Link access regardless of owner
`file_owner`	Default	Other access regardless of owner
`file_setid`	Default	Permission changes for `setid`, `setgid`, `setuid` files
`ipc_dac_read`	Default	IPC read access regardless of mode
`ipc_dac_write`	Default	Allow a process to write a System V IPC message queue, semaphore set, or shared memory segment in which the permission bits would not otherwise allow the process write permission
`ipc_dac_owner`	Default	IPC write access regardless of mode
`ipc_owner`	Default	IPC other access regardless of mode
`net_icmpaccess`	Default	ICMP packet access: `ping`(1M)
`net_observability`	Default	Allow a process to open a device for receiving network traffic; sending traffic is disallowed
`net_privaddr`	Default	Binding to privileged ports
`proc_audit`	Default	Generation of audit records
`proc_chroot`	Default	Changing of `root` directory
`proc_info`	Default	Process examination
`proc_lock_memory`	Default	Locking memory; `shmctl`(2)and `mlock`(3C) If this privilege is assigned to a non-global zone by the system administrator, consider also setting the `zone.max-locked-memory` resource control to prevent the zone from locking all memory.
`proc_owner`	Default	Process control regardless of owner
`proc_session`	Default	Process control regardless of session
`proc_setid`	Default	Setting of user/group IDs at will
`proc_taskid`	Default	Assigning of task IDs to caller
`sys_acct`	Default	Management of accounting
`sys_admin`	Default	Simple system administration tasks
`sys_audit`	Default	Management of auditing
`sys_nfs`	Default	NFS client support
`sys_ppp_config`	Default in exclusive—IP zones Prohibited in shared—IP zones	Create and destroy PPP (sppp) interfaces, configure PPP tunnels (sppptun)
`sys_resource`	Default	Resource limit manipulation
`sys_share`	Default	Allows `sharefs` system call needed to share file systems. Privilege can be prohibited in the zone configuration to prevent NFS sharing within a zone.

The following table lists all of the Oracle Solaris Trusted Extensions privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.

Note - Oracle Trusted Solaris privileges are interpreted only if the system is configured with Oracle Trusted Extensions.

Table 10-2 Status of Oracle Solaris Trusted Extensions Privileges in Zones

Oracle Solaris Trusted Extensions Privilege	Status	Notes
`file_downgrade_sl`	Optional	Set the sensitivity label of file or directory to a sensitivity label that does not dominate the existing sensitivity label
`file_upgrade_sl`	Optional	Set the sensitivity label of file or directory to a sensitivity label that dominates the existing sensitivity label
`sys_trans_label`	Optional	Translate labels not dominated by sensitivity label
`win_colormap`	Optional	Colormap restrictions override
`win_config`	Optional	Configure or destroy resources that are permanently retained by the X server
`win_dac_read`	Optional	Read from window resource not owned by client's user ID
`win_dac_write`	Optional	Write to or create window resource not owned by client's user ID
`win_devices`	Optional	Perform operations on input devices.
`win_dga`	Optional	Use direct graphics access X protocol extensions; frame buffer privileges needed
`win_downgrade_sl`	Optional	Change sensitivity label of window resource to new label dominated by existing label
`win_fontpath`	Optional	Add an additional font path
`win_mac_read`	Optional	Read from window resource with a label that dominates the client's label
`win_mac_write`	Optional	Write to window resource with a label not equal to the client's label
`win_selection`	Optional	Request data moves without confirmer intervention
`win_upgrade_sl`	Optional	Change sensitivity label of window resource to a new label not dominated by existing label
`net_bindmlp`	Default	Allows binding to a multilevel port (MLP)
`net_mac_aware`	Default	Allows reading down through NFS

To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone.

To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.