| | |
cpc_cpu
| Optional
| Access to certain cpc(3CPC) counters
|
dtrace_proc
| Optional
| fasttrap and pid providers; plockstat(1M)
|
dtrace_user
| Optional
| profile and syscall providers
|
file_flag_set
|
Optional
|
Allows a process to set immutable, nounlink or appendonly file attributes; can be used to mark
files immutable in the global zone and the non-global zone cannot remove the files
|
graphics_access
| Optional
| ioctl(2) access to agpgart_io(7I)
|
graphics_map
| Optional
| mmap(2) access to agpgart_io(7I)
|
net_rawaccess
| Optional in shared-IP zones. Default in exclusive-IP zones.
| Raw PF_INET/PF_INET6 packet access
|
proc_clock_highres
| Optional
| Use of high resolution timers
|
proc_priocntl
| Optional
| Scheduling control; priocntl(1)
|
sys_ipc_config
| Optional
| Increase IPC message queue buffer size
|
sys_time
| Optional
| System time manipulation; xntp(1M)
|
dtrace_kernel
| Prohibited
| Currently unsupported
|
proc_zone
| Prohibited
| Currently unsupported
|
sys_config
| Prohibited
| Currently unsupported
|
sys_devices
| Prohibited
| Currently unsupported
|
sys_dl_config
| Prohibited
| Currently unsupported
|
sys_linkdir
| Prohibited
| Currently unsupported
|
sys_net_config
| Prohibited
| Currently unsupported
|
sys_res_config
| Prohibited
| Currently unsupported
|
sys_smb
| Prohibited
| Currently unsupported
|
sys_suser_compat
| Prohibited
| Currently unsupported
|
file_read
|
Required, Default
|
Allows a process to read a file or directory whose permission or ACL allow the process read
permission
|
file_write
|
Required, Default
|
Allows a process to write a file or directory whose permission or ACL allow the process write
permission
|
net_access
|
Required, Default
|
Allows a process to open a TCP, UDP, SDP or SCTP network endpoint
|
proc_exec
| Required, Default
| Used to start init(1M)
|
proc_fork
| Required, Default
| Used to start init(1M)
|
sys_mount
| Required, Default
| Needed to mount required file systems
|
sys_flow_config
| Required, Default in exclusive-IP zones Prohibited in shared-IP zones
| Needed to configure flows
|
sys_ip_config
| Required, Default in exclusive-IP zones Prohibited in shared-IP zones
| Required to boot zone and initialize IP networking in exclusive-IP zone
|
sys_iptun_config
| Required, Default in exclusive-IP zones Prohibited in shared-IP zones
| Configure IP tunnel links
|
contract_event
| Default
| Used by contract file system
|
contract_identity
| Default
| Set service FMRI value of a process contract template
|
contract_observer
| Default
| Contract observation regardless of UID
|
file_chown
| Default
| File ownership changes
|
file_chown_self
| Default
| Owner/group changes for own files
|
file_dac_execute
| Default
| Execute access regardless of mode/ACL
|
file_dac_read
| Default
| Read access regardless of mode/ACL
|
file_dac_search
| Default
| Search access regardless of mode/ACL
|
file_dac_write
| Default
| Write access regardless of mode/ACL
|
file_link_any
| Default
| Link access regardless of owner
|
file_owner
| Default
| Other access regardless of owner
|
file_setid
| Default
| Permission changes for setid, setgid, setuid files
|
ipc_dac_read
| Default
| IPC read access regardless of mode
|
ipc_dac_write
|
Default
|
Allow a process to write a System V IPC message queue, semaphore set, or shared memory segment
in which the permission bits would not otherwise allow the process write permission
|
ipc_dac_owner
| Default
| IPC write access regardless of mode
|
ipc_owner
| Default
| IPC other access regardless of mode
|
net_icmpaccess
| Default
| ICMP packet access: ping(1M)
|
net_observability
|
Default
|
Allow a process to open a device for receiving network traffic; sending traffic is
disallowed
|
net_privaddr
| Default
| Binding to privileged ports
|
proc_audit
| Default
| Generation of audit records
|
proc_chroot
| Default
| Changing of root directory
|
proc_info
| Default
| Process examination
|
proc_lock_memory
| Default
| Locking memory; shmctl(2)and mlock(3C) If this privilege is assigned to a non-global zone by the system administrator, consider also setting the zone.max-locked-memory resource control to prevent the zone from locking all memory.
|
proc_owner
| Default
| Process control regardless of owner
|
proc_session
| Default
| Process control regardless of session
|
proc_setid
| Default
| Setting of user/group IDs at will
|
proc_taskid
| Default
| Assigning of task IDs to caller
|
sys_acct
| Default
| Management of accounting
|
sys_admin
| Default
| Simple system administration tasks
|
sys_audit
| Default
| Management of auditing
|
sys_nfs
| Default
| NFS client support
|
sys_ppp_config
| Default in exclusive—IP zones Prohibited in shared—IP zones
| Create and destroy PPP (sppp) interfaces, configure PPP tunnels (sppptun)
|
sys_resource
| Default
| Resource limit manipulation
|
sys_share
| Default
| Allows sharefs system call needed to share file systems. Privilege can be prohibited in the zone configuration to prevent NFS sharing within a zone.
|