Configuring Device Policy
Device policy restricts or prevents access to devices that are integral to the system. The policy is enforced in the kernel.
How to View Device Policy
-
Display the device policy for all devices on your system.
% getdevpolicy | more DEFAULT read_priv_set=none write_priv_set=none ip:* read_priv_set=net_rawaccess write_priv_set=net_rawaccess …
Example 4–1 Viewing the Device Policy for a Specific Device
In this example, the device policy for three devices is displayed.
% getdevpolicy /dev/allkmem /dev/ipsecesp /dev/hme
/dev/allkmem
read_priv_set=all
write_priv_set=all
/dev/ipsecesp
read_priv_set=sys_net_config
write_priv_set=sys_net_config
/dev/hme
read_priv_set=net_rawaccess
write_priv_set=net_rawaccess
|
How to Change the Device Policy on an Existing
Device
-
Assume a role that includes the Device Security rights profile, or become superuser.
The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9–3.
-
Add policy to a device.
# update_drv -a -p policy device-driver
- -a
-
Specifies a policy for device-driver.
- -p policy
-
Is the device policy for device-driver. Device policy specifies two sets of privileges. One set is required to read the device. The other set is required to write to the device.
- device-driver
-
Is the device driver.
For more information, see the update_drv(1M) man page.
Example 4–2 Adding Policy to an Existing Device
In the following example, device policy is added to the ipnat device.
# getdevpolicy /dev/ipnat
/dev/ipnat
read_priv_set=none
write_priv_set=none
# update_drv -a \
-p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' ipnat
# getdevpolicy /dev/ipnat
/dev/ipnat
read_priv_set=net_rawaccess
write_priv_set=net_rawaccess
|
Example 4–3 Removing Policy From a Device
In the following example, the read set of privileges is removed from the device policy for the ipnat device.
# getdevpolicy /dev/ipnat
/dev/ipnat
read_priv_set=net_rawaccess
write_priv_set=net_rawaccess
# update_drv -a -p write_priv_set=net_rawaccess ipnat
# getdevpolicy /dev/ipnat
/dev/ipnat
read_priv_set=none
write_priv_set=net_rawaccess
|
How to Audit Changes in Device Policy
By default, the as audit class includes the AUE_MODDEVPLCY audit event.
-
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
-
Preselect the audit class that includes AUE_MODDEVPLCY audit event.
Add the as class to the flags line of the audit_control file. The file would appear similar to the following:
# audit_control file dir:/var/audit flags:lo,as minfree:20 naflags:lo
For detailed instructions, see How to Modify the audit_control File.
How to Retrieve IP MIB-II Information
From a /dev/* Device
Applications that retrieve Solaris IP MIB-II information should open /dev/arp, not /dev/ip.
-
Determine the device policy on /dev/ip and /dev/arp.
% getdevpolicy /dev/ip /dev/arp /dev/ip read_priv_set=net_rawaccess write_priv_set=net_rawaccess /dev/arp read_priv_set=none write_priv_set=noneNote that the net_rawaccess privilege is required for reading and writing to /dev/ip. No privileges are required for /dev/arp.
-
Open /dev/arp and push the tcp and udp modules.
No privileges are required. This method is equivalent to opening /dev/ip and pushing the arp, tcp and udp modules. Because opening /dev/ip now requires a privilege, the /dev/arp method is preferred.
- © 2010, Oracle Corporation and/or its affiliates