1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Controlling Access to Devices
  3. Device Protection Reference
  4. Device Allocation
  5. device_allocate File

device_allocate File

You can modify the /etc/security/device_allocate file to change devices from allocatable to nonallocatable, or to add new devices.

An entry in the device_allocate file does not mean that the device is allocatable, unless the entry specifically states that the device is allocatable.

In the device_allocate file, each device is represented by a one-line entry in the following format: 

device-name;device-type;reserved;reserved;auths;device-exec

The following example shows a sample device_allocate file. 

st0;st;;;;/etc/security/lib/st_clean
fd0;fd;;;;/etc/security/lib/fd_clean
sr0;sr;;;;/etc/security/lib/sr_clean
audio;audio;;;*;/etc/security/lib/audio_clean

Note the asterisk (*) in the fifth field of the audio device entry.

Lines in the device_allocate file can end with a backslash (\) to continue an entry on the next line. Comments can also be included. A pound sign (#) comments all subsequent text until the next newline that is not immediately preceded by a backslash. Leading and trailing blanks are allowed in any field. The fields are defined as follows:

device-name

Specifies the name of the device. For a list of current device names, see Viewing Allocation Information About a Device.

device-type

Specifies the generic device type. The generic name is the name for the class of devices, such as st, fd, and sr. The device-type field logically groups related devices. When you make a device allocatable, retrieve the device name from the device-type field in the device_maps file.

reserved

Oracle reserves the two fields that are marked reserved for future use.

auths

Specifies whether the device is allocatable. An asterisk (*) in this field indicates that the device is not allocatable. An authorization string, or an empty field, indicates that the device is allocatable. For example, the string solaris.device.allocate in the auths field indicates that the solaris.device.allocate authorization is required to allocate the device. An at sign (@) in this file indicates that the device is allocatable by any user.

device-exec

Supplies the path name of a script to be invoked for special handling, such as cleanup and object reuse protection during the allocation process. The device-exec script is run any time that the device is acted on by the deallocate command.

For example, the following entry for the sr0 device indicates that the CD-ROM drive is allocatable by a user with the solaris.device.allocate authorization: 

sr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_clean

You can decide to accept the default devices and their defined characteristics. After you install a new device, you can modify the entries. Any device that needs to be allocated before use must be defined in the device_allocate and device_maps files for that device's system. Currently, cartridge tape drives, CD-ROM drives, removable media devices, and audio chips are considered allocatable. These device types have device-clean scripts.

Note:

Xylogics and Archive tape drives also use the st_clean script that is supplied for SCSI devices. You need to create your own device-clean scripts for other devices, such as terminals, graphics tablets, and other allocatable devices. The script must fulfill object reuse requirements for that type of device.