Privileges in a Non-Global Zone
Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from
performing operations that might affect other zones. The set of privileges limits the
capabilities of privileged users within the zone. To display the list of privileges
available from within a given zone, use the ppriv utility.
The following table lists all of the Solaris privileges and the status of
each privilege with respect to zones. Optional privileges are not part of the
default set of privileges but can be specified through the limitpriv property.
Required privileges must be included in the resulting privilege set. Prohibited privileges cannot
be included in the resulting privilege set.
Table 26-1 Status of Privileges in Zones
Privilege |
Status |
Notes |
|---|
cpc_cpu |
Optional |
Access to certain cpc(3CPC) counters |
dtrace_proc |
Optional |
fasttrap and pid
providers; plockstat(1M) |
dtrace_user |
Optional |
profile and syscall providers |
gart_access |
Optional |
ioctl(2) access to agpgart_io(7I) |
gart_map |
Optional |
mmap(2) access to agpgart_io(7I) |
net_rawaccess |
Optional in
shared-IP zones. Default in exclusive-IP zones. |
Raw PF_INET/PF_INET6 packet access |
proc_clock_highres |
Optional |
Use of high resolution timers |
proc_priocntl |
Optional |
Scheduling
control; priocntl(1) |
sys_ipc_config |
Optional |
Raising IPC message queue buffer size |
sys_time |
Optional |
System time manipulation; xntp(1M) |
dtrace_kernel |
Prohibited |
Currently unsupported |
proc_zone |
Prohibited |
Currently unsupported |
sys_config |
Prohibited |
Currently
unsupported |
sys_devices |
Prohibited |
Currently unsupported |
sys_linkdir |
Prohibited |
Currently unsupported |
sys_net_config |
Prohibited |
Currently unsupported |
sys_res_config |
Prohibited |
Currently unsupported |
sys_suser_compat |
Prohibited |
Currently unsupported |
proc_exec |
Required, Default |
Used to start init(1M) |
proc_fork |
Required, Default |
Used to
start init(1M) |
sys_mount |
Required, Default |
Needed to mount required file systems |
sys_ip_config |
Required, Default in exclusive-IP zones Prohibited
in shared-IP zones |
Required to boot zone and initialize IP networking in exclusive-IP
zone |
contract_event |
Default |
Used by contract file system |
contract_observer |
Default |
Contract observation regardless of UID |
file_chown |
Default |
File ownership changes |
file_chown_self |
Default |
Owner/group changes
for own files |
file_dac_execute |
Default |
Execute access regardless of mode/ACL |
file_dac_read |
Default |
Read access regardless of mode/ACL |
file_dac_search |
Default |
Search access
regardless of mode/ACL |
file_dac_write |
Default |
Write access regardless of mode/ACL |
file_link_any |
Default |
Link access regardless of owner |
file_owner |
Default |
Other access
regardless of owner |
file_setid |
Default |
Permission changes for setid, setgid, setuid files |
ipc_dac_read |
Default |
IPC read access regardless
of mode |
ipc_dac_owner |
Default |
IPC write access regardless of mode |
ipc_owner |
Default |
IPC other access regardless of mode |
net_icmpaccess |
Default |
ICMP
packet access: ping(1M) |
net_privaddr |
Default |
Binding to privileged ports |
proc_audit |
Default |
Generation of audit records |
proc_chroot |
Default |
Changing of root directory |
proc_info |
Default |
Process
examination |
proc_lock_memory |
Default |
Locking memory; shmctl(2)and mlock(3C) If this privilege is assigned to a non-global zone
by the system administrator, consider also setting the zone.max-locked-memory resource control to prevent the
zone from locking all memory. |
proc_owner |
Default |
Process control regardless of owner |
proc_session |
Default |
Process control regardless of
session |
proc_setid |
Default |
Setting of user/group IDs at will |
proc_taskid |
Default |
Assigning of task IDs to caller |
sys_acct |
Default |
Management of
accounting |
sys_admin |
Default |
Simple system administration tasks |
sys_audit |
Default |
Management of auditing |
sys_nfs |
Default |
NFS client support |
sys_resource |
Default |
Resource limit manipulation |
The following table lists all of the Solaris Trusted Extensions privileges and the
status of each privilege with respect to zones. Optional privileges are not part
of the default set of privileges but can be specified through the limitpriv
property.
Note - Trusted Solaris privileges are interpreted only if the system is configured with Trusted
Extensions.
Table 26-2 Status of Solaris Trusted Extensions Privileges in Zones
Solaris Trusted Extensions Privilege |
Status |
Notes |
|---|
sys_trans_label |
Optional |
Translate labels not dominated by sensitivity label |
win_colormap |
Optional |
Colormap restrictions override |
win_config |
Optional |
Configure
or destroy resources that are permanently retained by the X server |
win_dac_read |
Optional |
Read from window
resource not owned by client's user ID |
win_dac_write |
Optional |
Write to or create window resource
not owned by client's user ID |
win_devices |
Optional |
Perform operations on input devices. |
win_dga |
Optional |
Use direct graphics
access X protocol extensions; frame buffer privileges needed |
win_downgrade_sl |
Optional |
Change sensitivity label of window resource
to new label dominated by existing label |
win_fontpath |
Optional |
Add an additional font path |
win_mac_read |
Optional |
Read from window
resource with a label that dominates the client's label |
win_mac_write |
Optional |
Write to window resource
with a label not equal to the client's label |
win_selection |
Optional |
Request data moves without
confirmer intervention |
win_upgrade_sl |
Optional |
Change sensitivity label of window resource to a new label not
dominated by existing label |
net_bindmlp |
Default |
Allows binding to a multilevel port (MLP) |
net_mac_aware |
Default |
Allows reading down through
NFS |
To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone
To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see
the ppriv(1) man page and System Administration Guide: Security Services.
