Device Policy
The device policy mechanism enables you to specify that processes that open a device require certain privileges. Devices that are protected by device policy can only be accessed by processes that are running with the privileges that the device policy specifies. Oracle Solaris provides default device policy. For example, network interfaces such as bge0
require that the processes that access the interface be running with the net_rawaccess
privilege. The requirement is enforced in the kernel. For more information about privileges, see Process Rights Management in Securing Users and Processes in Oracle Solaris 11.4.
In Oracle Solaris, devices are protected with file permissions and with
device policy. For example, the /dev/ip
file has 666
permissions. However, the device can only be opened by a process with the appropriate
privileges.
The configuration of device policy can be audited. The AUE_MODDEVPLCY
audit event records changes in device policy.
For more information about device policy, see the following: