|
|
|
cpc_cpu
|
Optional
|
|
dtrace_proc
|
Optional
|
|
dtrace_user
|
Optional
|
profile and syscall providers
|
file_flag_set
|
Optional
|
Allows a process to set immutable, nounlink or
appendonly file attributes; can be used to mark files immutable in the global
zone and the non-global zone cannot remove the files
|
graphics_access
|
Optional
|
|
graphics_map
|
Optional
|
|
net_rawaccess
|
Optional in shared-IP zones
Default in exclusive-IP zones
|
Raw PF_INET/PF_INET6 packet access
|
proc_clock_highres
|
Optional
|
Use of high resolution timers
|
proc_priocntl
|
Optional
|
|
sys_ipc_config
|
Optional
|
Increase IPC message queue buffer size
|
dtrace_kernel
|
Prohibited
|
Currently unsupported
|
proc_zone
|
Prohibited
|
Currently unsupported
|
sys_config
|
Prohibited
|
Currently unsupported
|
sys_devices
|
Prohibited
|
Currently unsupported
|
sys_dl_config
|
Prohibited
|
Currently unsupported
|
sys_linkdir
|
Prohibited
|
Currently unsupported
|
sys_net_config
|
Prohibited
|
Currently unsupported
|
sys_res_config
|
Prohibited
|
Currently unsupported
|
sys_smb
|
Prohibited
|
Currently unsupported
|
sys_suser_compat
|
Prohibited
|
Currently unsupported
|
file_read
|
Required, Default
|
Allows a process to read a file or directory whose permission or ACL allow the process read
permission
|
file_write
|
Required, Default
|
Allows a process to write a file or directory whose permission or ACL allow the process write
permission
|
net_access
|
Required, Default
|
Allows a process to open a TCP, UDP, SDP or SCTP network endpoint
|
proc_exec
|
Required, Default
|
|
proc_fork
|
Required, Default
|
|
sys_mount
|
Required, Default
|
Needed to mount required file systems
|
sys_flow_config
|
Required, Default in exclusive-IP zones
Prohibited in shared-IP zones
|
Needed to configure flows
|
sys_ip_config
|
Required, Default in exclusive-IP zones
Prohibited in shared-IP zones
|
Required to boot zone and initialize IP networking in exclusive-IP zone
|
sys_iptun_config
|
Required, Default in exclusive-IP zones
Prohibited in shared-IP zones
|
Configure IP tunnel links
|
contract_event
|
Default
|
Used by contract file system
|
contract_identity
|
Default
|
Set service FMRI value of a process contract template
|
contract_observer
|
Default
|
Contract observation regardless of UID
|
file_chown
|
Default
|
File ownership changes
|
file_chown_self
|
Default
|
Owner/group changes for own files
|
file_dac_execute
|
Default
|
Execute access regardless of mode/ACL
|
file_dac_read
|
Default
|
Read access regardless of mode/ACL
|
file_dac_search
|
Default
|
Search access regardless of mode/ACL
|
file_dac_write
|
Default
|
Write access regardless of mode/ACL
|
file_link_any
|
Default
|
Link access regardless of owner
|
file_owner
|
Default
|
Other access regardless of owner
|
file_setid
|
Default
|
Permission changes for setid, setgid,
setuid files
|
ipc_dac_read
|
Default
|
IPC read access regardless of mode
|
ipc_dac_write
|
Default
|
Allow a process to write a System V IPC message queue, semaphore set, or shared memory segment
in which the permission bits would not otherwise allow the process write permission
|
ipc_dac_owner
|
Default
|
IPC write access regardless of mode
|
ipc_owner
|
Default
|
IPC other access regardless of mode
|
net_icmpaccess
|
Default
|
|
net_observability
|
Default
|
Allow a process to open a device for receiving network traffic; sending traffic is
disallowed
|
net_privaddr
|
Default
|
Binding to privileged ports
|
proc_audit
|
Default
|
Generation of audit records
|
proc_chroot
|
Default
|
Changing of root directory
|
proc_info
|
Default
|
Process examination
|
proc_lock_memory
|
Default
|
If this privilege is assigned to a non-global zone by the system administrator, consider also
setting the zone.max-locked-memory resource control to prevent the zone from
locking all memory.
|
proc_owner
|
Default
|
Process control regardless of owner
|
proc_session
|
Default
|
Process control regardless of session
|
proc_setid
|
Default
|
Setting of user/group IDs at will
|
proc_taskid
|
Default
|
Assigning of task IDs to caller
|
sys_acct
|
Default
|
Management of accounting
|
sys_admin
|
Default
|
Simple system administration tasks
|
sys_audit
|
Default
|
Management of auditing
|
sys_nfs
|
Default
|
NFS client support
|
sys_ppp_config
|
Default in exclusive-IP zones
Prohibited in shared-IP zones
|
Create and destroy PPP (sppp) interfaces, configure PPP tunnels
(sppptun)
|
sys_resource
|
Default
|
Resource limit manipulation
|
sys_share
|
Default
|
Allows sharefs system call needed to share file systems. Privilege can be
prohibited in the zone configuration to prevent NFS sharing within a zone.
|
sys_time
|
Default
|
System time manipulation
|