Configuring Device Policy (Tasks)

Device policy restricts or prevents access to devices that are integral to the system. The policy is enforced in the kernel.

Configuring Device Policy (Task Map)

The following task map points to device configuration procedures that are related to device policy.

How to View Device Policy

• Display the device policy for all devices on your system.

  % getdevpolicy | more
  DEFAULT
  read_priv_set=none
  write_priv_set=none
  ip:*
  read_priv_set=net_rawaccess
  write_priv_set=net_rawaccess
  …

Example 5-1 Viewing the Device Policy for a Specific Device

In this example, the device policy for three devices is displayed.

% getdevpolicy /dev/allkmem /dev/ipsecesp /dev/bge
/dev/allkmem
read_priv_set=all
write_priv_set=all
/dev/ipsecesp
read_priv_set=sys_net_config
write_priv_set=sys_net_config
/dev/bge
read_priv_set=net_rawaccess
write_priv_set=net_rawaccess

How to Change the Device Policy on an Existing Device

Before You Begin

You must be assigned the Device Security rights profile.

1. Become an administrator with the required security attributes.

   For more information, see How to Obtain Administrative Rights.

2. Add policy to a device.

   # update_drv -a -p policy device-driver

   -a

   Specifies a policy for device-driver.

   -p policy

   Is the device policy for device-driver. Device policy specifies two sets of privileges. One set is required to read the device. The other set is required to write to the device.

   device-driver

   Is the device driver.

   For more information, see the update_drv(1M) man page.

Example 5-2 Adding Policy to an Existing Device

In the following example, device policy is added to the ipnat device.

# getdevpolicy /dev/ipnat
/dev/ipnat
read_priv_set=none
write_priv_set=none
# update_drv -a \
-p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' ipnat
# getdevpolicy /dev/ipnat
/dev/ipnat
read_priv_set=net_rawaccess
write_priv_set=net_rawaccess

Example 5-3 Removing Policy From a Device

In the following example, the read set of privileges is removed from the device policy for the ipnat device.

# getdevpolicy /dev/ipnat
/dev/ipnat
read_priv_set=net_rawaccess
write_priv_set=net_rawaccess
# update_drv -a -p write_priv_set=net_rawaccess ipnat
# getdevpolicy /dev/ipnat
/dev/ipnat
read_priv_set=none
write_priv_set=net_rawaccess

How to Audit Changes in Device Policy

By default, the as audit class includes the AUE_MODDEVPLCY audit event.

Before You Begin

You must be assigned the Audit Configuration rights profile.

1. Become an administrator with the required security attributes.

   For more information, see How to Obtain Administrative Rights.

2. Preselect the audit class that includes AUE_MODDEVPLCY audit event.

   # auditconfig -getflags
   current-flags
   # auditconfig -setflags current-flags,as

   For detailed instructions, see How to Preselect Audit Classes.

How to Retrieve IP MIB-II Information From a /dev/* Device

Applications that retrieve Oracle Solaris IP MIB-II information should open /dev/arp, not /dev/ip.

1. Determine the device policy on /dev/ip and /dev/arp.

   % getdevpolicy /dev/ip /dev/arp
   /dev/ip
   read_priv_set=net_rawaccess
   write_priv_set=net_rawaccess
   /dev/arp
   read_priv_set=none
   write_priv_set=none

   Note that the net_rawaccess privilege is required for reading and writing to /dev/ip. No privileges are required for /dev/arp.

2. Open /dev/arp and push the tcp and udp modules.

   No privileges are required. This method is equivalent to opening /dev/ip and pushing the arp, tcp and udp modules. Because opening /dev/ip now requires a privilege, the /dev/arp method is preferred.