Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: August 2019
 
 

Device Use in Non-Global Zones

The set of devices available within a zone is restricted to prevent a process in one zone from interfering with processes running in other zones. For example, a process in a zone cannot modify kernel memory or modify the contents of the root disk. Thus, by default, only certain pseudo-devices are considered safe for use in a zone. Additional devices can be made available within specific zones by using the zonecfg utility.


Caution

Caution  -  Applications that depend on devices that do not exist in a non-global zone, such as /dev/kmem, cannot be run in a non-global zone.


/dev and the /devices Namespace

The devfs file system described in the devfs(4FS) man page is used by the Oracle Solaris system to manage /devices. Each element in this namespace represents the physical path to a hardware device, pseudo-device, or nexus device. The namespace is a reflection of the device tree. As such, the file system is populated by a hierarchy of directories and device special files.

Devices are grouped according to the relative /dev hierarchy. For example, all of the devices under /dev in the global zone are grouped as global zone devices. For a non-global zone, the devices are grouped in a /dev directory under the zone's root path. Each group is a mounted /dev file system instance that is mounted under the /dev directory. Thus, the global zone devices are mounted under /dev, while the devices for a non-global zone named my-zone are mounted under /my-zone/root/dev.

The /dev file hierarchy is managed by the dev file system.


Caution

Caution  -  Subsystems that rely on /devices path names are not able to run in non-global zones. The subsystems must be updated to use /dev path names.



Caution

Caution  -  If a non-global zone has a device resource with a match that includes devices within /dev/zvol, namespace conflicts might occur within the non-global zone. For more information, see the dev(4FS) man page.


Exclusive-Use Devices and Zones

    You might have devices that you want to assign to specific zones. Allowing unprivileged users to access block devices could permit those devices to be used to cause system panic, bus resets, or other adverse effects. Before making such assignments, consider the following issues:

  • Before assigning a SCSI tape device to a specific zone, consult the sgen(4D) man page.

  • Placing a physical device into more than one zone can create a covert channel between zones. Global zone applications that use such a device risk the possibility of compromised data or data corruption by a non-global zone.

Device Driver Administration in Zones

In a non-global zone, you can use the modinfo command described in the modinfo(8) man page to examine the list of loaded kernel modules.

    Most operations concerning kernel, device, and platform management will not work inside a non-global zone because modifying platform hardware configurations violates the zone security model. These operations include the following:

  • Adding and removing drivers

  • Explicitly loading and unloading kernel modules

  • Initiating dynamic reconfiguration (DR) operations

  • Using facilities that affect the state of the physical platform

Device Utilities and Non-Global Zones

Some utilities cannot work in non-global zones, some can be modified for use within a zone, and the use of some utilities has security implications.

Device Utilities That Do Not Work in Non-Global Zones

    The following utilities do not work in a zone because they rely on devices that are not normally available:

  • add_drv (see the add_drv(8) man page)

  • disks (see the disks(8) man page)

  • prtconf (see the prtconf(8) man page)

  • prtdiag (see the prtdiag(8) man page)

  • rem_drv (see the rem_drv(8) man page)

SPARC: eeprom in Non-Global Zones

The eeprom utility can be used in a zone to view settings but not to change settings. For more information, see the eeprom(8) and openprom(4D) man pages.

Device Utilities With Security Implications

After security considerations have been evaluated and allowed-raw-io is enabled, the following utilities can be used in a zone. Review Device Use in Non-Global Zones and Privileges in a Non-Global Zone for restrictions and security concerns.