Privileges in a Non-Global Zone

Zone processes are restricted to a subset of privileges to prevent a zone from affecting other zones, including the global zone. To display the privileges available in a zone, type the following from the appropriate zone:

global$ ppriv -l zonename

zonename> ppriv -l

Not all privileges that are installed by default are necessary. However, zones must keep the following privileges:

• file_read
• file_write
• net_access
• proc_exec
• proc_fork
• sys_linkdir
• sys_net_config
• sys_res_config
• sys_smb
• sys_suser_compat

You can add privileges to a zone's default privileges. For example, see Adding DTrace Privileges to a Non-Global Zone. However, the following privileges are reserved for the global zone and cannot be added to a zone:

• dtrace_kernel
• proc_zone
• sys_config
• sys_devices
• sys_dl_config
• sys_linkdir
• sys_ip_config
• sys_iptun_config
• sys_mount

Caution:

Applications that rely on privileges that are reserved for the global zone cannot be run in a non-global zone.

For further information about privileges, review the following:

• Process Rights Management in Securing Users and Processes in Oracle Solaris 11.4

• privileges(7) man page

• Zone Administration Utilities in Trusted Extensions in Trusted Extensions Configuration and Administration