Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: August 2019
 
 

Security Measures for a System With Non-Global Zones

Oracle Solaris provides similar security measures to global and non-global zones.

Privileges in a Non-Global Zone

Zone processes are restricted to a subset of privileges to prevent a zone from affecting other zones, including the global zone. To display the privileges available in a zone, type the following from the appropriate zone:

global$ ppriv -l zonename
zonename> ppriv -l

Not all privileges that are installed by default are necessary. However, zones must keep the following privileges:

  • file_read
  • file_write
  • net_access
  • proc_exec
  • proc_fork
  • sys_linkdir
  • sys_net_config
  • sys_res_config
  • sys_smb
  • sys_suser_compat

You can add privileges to a zone's default privileges. For example, see Example 35, Adding DTrace Privileges to a Non-Global Zone. However, the following privileges are reserved for the global zone and cannot be added to a zone:

  • dtrace_kernel
  • proc_zone
  • sys_config
  • sys_devices
  • sys_dl_config
  • sys_linkdir
  • sys_ip_config
  • sys_iptun_config
  • sys_mount

Caution

Caution  -  Applications that rely on privileges that are reserved for the global zone cannot be run in a non-global zone.