Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: May 2015
 
 

Privileges in a Non-Global Zone

Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available from within a given zone, use the ppriv utility.

The following table lists all of the Oracle Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.

Table 10-1  Status of Privileges in Zones
Privilege
Status
Notes
cpc_cpu
Optional
Access to certain cpc(3CPC) counters
dtrace_proc
Optional
fasttrap and pid providers; plockstat(1M)
dtrace_user
Optional
profile and syscall providers
file_flag_set
Optional
Allows a process to set immutable, nounlink or appendonly file attributes; can be used to mark files immutable in the global zone and the non-global zone cannot remove the files
graphics_access
Optional
ioctl(2) access to agpgart_io(7I)
graphics_map
Optional
mmap(2) access to agpgart_io(7I)
net_rawaccess
Optional in shared-IP zones.
Default in exclusive-IP zones.
Raw PF_INET/PF_INET6 packet access
proc_clock_highres
Optional
Use of high resolution timers
proc_priocntl
Optional
Scheduling control; priocntl(1)
sys_ipc_config
Optional
Increase IPC message queue buffer size
sys_time
Optional
System time manipulation; xntp(1M)
dtrace_kernel
Prohibited
Currently unsupported
proc_zone
Prohibited
Currently unsupported
sys_config
Prohibited
Currently unsupported
sys_devices
Prohibited
Currently unsupported
sys_dl_config
Prohibited
Currently unsupported
sys_linkdir
Prohibited
Currently unsupported
sys_net_config
Prohibited
Currently unsupported
sys_res_config
Prohibited
Currently unsupported
sys_smb
Prohibited
Currently unsupported
sys_suser_compat
Prohibited
Currently unsupported
file_read
Required, Default
Allows a process to read a file or directory whose permission or ACL allow the process read permission
file_write
Required, Default
Allows a process to write a file or directory whose permission or ACL allow the process write permission
net_access
Required, Default
Allows a process to open a TCP, UDP, SDP or SCTP network endpoint
proc_exec
Required, Default
Used to start init(1M)
proc_fork
Required, Default
Used to start init(1M)
sys_mount
Required, Default
Needed to mount required file systems
sys_flow_config
Required, Default in exclusive-IP zones
Prohibited in shared-IP zones
Needed to configure flows
sys_ip_config
Required, Default in exclusive-IP zones
Prohibited in shared-IP zones
Required to boot zone and initialize IP networking in exclusive-IP zone
sys_iptun_config
Required, Default in exclusive-IP zones
Prohibited in shared-IP zones
Configure IP tunnel links
contract_event
Default
Used by contract file system
contract_identity
Default
Set service FMRI value of a process contract template
contract_observer
Default
Contract observation regardless of UID
file_chown
Default
File ownership changes
file_chown_self
Default
Owner/group changes for own files
file_dac_execute
Default
Execute access regardless of mode/ACL
file_dac_read
Default
Read access regardless of mode/ACL
file_dac_search
Default
Search access regardless of mode/ACL
file_dac_write
Default
Write access regardless of mode/ACL
file_link_any
Default
Link access regardless of owner
file_owner
Default
Other access regardless of owner
file_setid
Default
Permission changes for setid, setgid, setuid files
ipc_dac_read
Default
IPC read access regardless of mode
ipc_dac_write
Default
Allow a process to write a System V IPC message queue, semaphore set, or shared memory segment in which the permission bits would not otherwise allow the process write permission
ipc_dac_owner
Default
IPC write access regardless of mode
ipc_owner
Default
IPC other access regardless of mode
net_icmpaccess
Default
ICMP packet access: ping(1M)
net_observability
Default
Allow a process to open a device for receiving network traffic; sending traffic is disallowed
net_privaddr
Default
Binding to privileged ports
proc_audit
Default
Generation of audit records
proc_chroot
Default
Changing of root directory
proc_info
Default
Process examination
proc_lock_memory
Default
Locking memory; shmctl(2)and mlock(3C)
If this privilege is assigned to a non-global zone by the system administrator, consider also setting the zone.max-locked-memory resource control to prevent the zone from locking all memory.
proc_owner
Default
Process control regardless of owner
proc_session
Default
Process control regardless of session
proc_setid
Default
Setting of user/group IDs at will
proc_taskid
Default
Assigning of task IDs to caller
sys_acct
Default
Management of accounting
sys_admin
Default
Simple system administration tasks
sys_audit
Default
Management of auditing
sys_nfs
Default
NFS client support
sys_ppp_config
Default in exclusive—IP zones
Prohibited in shared—IP zones
Create and destroy PPP (sppp) interfaces, configure PPP tunnels (sppptun)
sys_resource
Default
Resource limit manipulation
sys_share
Default
Allows sharefs system call needed to share file systems. Privilege can be prohibited in the zone configuration to prevent NFS sharing within a zone.

The following table lists all of the Oracle Solaris Trusted Extensions privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.


Note - Oracle Trusted Solaris privileges are interpreted only if the system is configured with Oracle Trusted Extensions.
Table 10-2  Status of Oracle Solaris Trusted Extensions Privileges in Zones
Oracle Solaris Trusted Extensions Privilege
Status
Notes
file_downgrade_sl
Optional
Set the sensitivity label of file or directory to a sensitivity label that does not dominate the existing sensitivity label
file_upgrade_sl
Optional
Set the sensitivity label of file or directory to a sensitivity label that dominates the existing sensitivity label
sys_trans_label
Optional
Translate labels not dominated by sensitivity label
win_colormap
Optional
Colormap restrictions override
win_config
Optional
Configure or destroy resources that are permanently retained by the X server
win_dac_read
Optional
Read from window resource not owned by client's user ID
win_dac_write
Optional
Write to or create window resource not owned by client's user ID
win_devices
Optional
Perform operations on input devices.
win_dga
Optional
Use direct graphics access X protocol extensions; frame buffer privileges needed
win_downgrade_sl
Optional
Change sensitivity label of window resource to new label dominated by existing label
win_fontpath
Optional
Add an additional font path
win_mac_read
Optional
Read from window resource with a label that dominates the client's label
win_mac_write
Optional
Write to window resource with a label not equal to the client's label
win_selection
Optional
Request data moves without confirmer intervention
win_upgrade_sl
Optional
Change sensitivity label of window resource to a new label not dominated by existing label
net_bindmlp
Default
Allows binding to a multilevel port (MLP)
net_mac_aware
Default
Allows reading down through NFS

To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone.

To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.