Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019

How to Disable the Mounting of Lower-Level Files

By default, users can view lower-level files. To prevent the viewing of all lower-level files from a particular zone, remove the net_mac_aware privilege from that zone. For a description of the net_mac_aware privilege, see the privileges(7) man page.

Before You Begin

You must be in the System Administrator role in the global zone.

  1. Halt the zone whose configuration you want to change.
    # zoneadm -z zone-name halt
  2. Configure the zone to prevent the viewing of lower-level files.

    Remove the net_mac_aware privilege from the zone.

    # zonecfg -z zone-name
    set limitpriv=default,!net_mac_aware
  3. Restart the zone.
    # zoneadm -z zone-name boot
Example 19  Preventing Users From Viewing Lower-Level Files

In this example, the security administrator prevents users on one system from being confused. Therefore, users can only view files at the label at which the users are working. So, the security administrator prevents the viewing of all lower-level files. On this system, users cannot see publicly available files unless they are working at the PUBLIC label. Also, users can only NFS mount files at the label of the zones.

# zoneadm -z restricted halt
# zonecfg -z restricted
set limitpriv=default,!net_mac_aware
# zoneadm -z restricted boot
# zoneadm -z needtoknow halt
# zonecfg -z needtoknow
set limitpriv=default,!net_mac_aware
# zoneadm -z needtoknow boot
# zoneadm -z internal halt
# zonecfg -z internal
set limitpriv=default,!net_mac_aware
# zoneadm -z internal boot

Because PUBLIC is the lowest label, the security administrator does not run the commands for the PUBLIC zone.