Understanding the zoned
Property
When a dataset is delegated to a native zone, the dataset must be specially marked so that certain properties are not interpreted within the context of the global or kernel zone. After a dataset has been delegated to a native zone and is under the control of a zone administrator, its contents can no longer be trusted. As with any file system, setuid
binaries, symbolic links, or otherwise questionable contents might exist that might adversely affect the security of the global or kernel zone. In addition, the mountpoint
property cannot be interpreted in the context of the global or kernel zone. Otherwise, the zone administrator could affect the global or kernel zone's namespace. To address the latter, ZFS uses the zoned
property to indicate that a dataset has been delegated to a native zone at one point in time.
The zoned
property is a boolean value that is automatically turned on when a zone containing a ZFS dataset is first booted. A zone administrator does not need to manually set this property. If the zoned
property is set, the dataset cannot be mounted or shared in the global or kernel zone. In the following example, system1/zone/zion
has been delegated to a zone, while system1/zone/global
has not:
$ zfs list -o name,zoned,mountpoint -r system1/zone NAME ZONED MOUNTPOINT MOUNTED system1/zone/global off /system1/zone/global yes system1/zone/zion on /system1/zone/zion yes $ zfs mount system1/zone/global /system1/zone/global system1/zone/zion /export/zone/zion/root/system1/zone/zion root@kzx-05:~# zonecfg -z sol info dataset dataset: name: rpool/foo alias: foo root@kzx-05:~# zfs list -o name,zoned,mountpoint,mounted -r rpool/foo NAME ZONED MOUNTPOINT MOUNTED rpool/foo on /system/zones/sol/root/foo yes root@kzx-05:~# zfs mount | grep /foo rpool/foo /system/zones/sol/root/foo
When a dataset is removed from a zone or a zone is destroyed, the zoned
property is not automatically cleared. This behavior would avoid the inherent security risks associated with these tasks. Because an untrusted user has complete access to the dataset and its descendants, the mountpoint
property might be set to bad values, or setuid
binaries might exist on the file systems.
To prevent accidental security risks, the zoned
property must be manually cleared by the global zone administrator if you want to reuse the dataset in any way. Before setting the zoned
property to off
, ensure that the mountpoint
property for the dataset and all its descendants are set to reasonable values and that no setuid
binaries exist, or turn off the setuid
property.
After you have verified that no security vulnerabilities are left, the zoned
property can be turned off by using the zfs set
or zfs inherit
command. If the zoned
property is turned off while a dataset is in use within a zone, the system might behave in unpredictable ways. Only change the property if you are sure the dataset is no longer in use by a native zone.