Immutable zones are solaris zones with read-only roots. Both global and non-global zones can be immutable zones. An immutable zone can be configured by setting the file-mac-profile property. Several configurations are available. The read-only zone root expands the secure runtime boundary.
Immutable global zones extend the immutable zones feature to the global zone. For immutable zones and immutable kernel zones, the Trusted Path login can be invoked through the zlogin command. For more information, see the zlogin(1) man page.
Zones that are given additional datasets using the zonecfg add dataset command still have full control over those datasets. Zones that are given additional file systems using the zonecfg add fs command have full control over those file systems, unless the file systems are set to read-only.
See Chapter 10, Configuring and Administering Immutable Zones in Creating and Using Oracle Solaris Zones for more information.