Default privileges are the default set of privileges in a NG zone, the keyword default expands to this set.
When using the limitpriv keyword it is common to add privileges to or remove privileges from the default set, the default keyword can be used first, this keyword expands to the default set.
Example:
zonecfg:zone5> set limitpriv=default,sys_time,!net_rawaccess
The sys_time privilege is added, the net_rawaccess negated.
Status of Privileges in Zones
|
Privilege
|
Status
|
Notes
|
|
cpc_cpu
|
Optional
|
Access to certain cpc(3CPC) counters
|
|
dtrace_proc
|
Optional
|
fasttrap and pid providers; plockstat(1M)
|
|
dtrace_user
|
Optional
|
profile and syscall providers
|
|
gart_access
|
Optional
|
ioctl(2) access to agpgart_io(7I)
|
|
gart_map
|
Optional
|
mmap(2) access to agpgart_io(7I)
|
|
net_rawaccess
|
Optional in shared-IP zones.
Default in exclusive-IP zones.
|
Raw PF_INET/PF_INET6 packet access
|
|
proc_clock_highres
|
Optional
|
Use of high resolution timers
|
|
proc_priocntl
|
Optional
|
Scheduling control; priocntl(1)
|
|
sys_ipc_config
|
Optional
|
Raising IPC message queue buffer size
|
|
sys_time
|
Optional
|
System time manipulation; xntp(1M)
|
|
dtrace_kernel
|
Prohibited
|
Currently unsupported
|
|
proc_zone
|
Prohibited
|
Currently unsupported
|
|
sys_config
|
Prohibited
|
Currently unsupported
|
|
sys_devices
|
Prohibited
|
Currently unsupported
|
|
sys_linkdir
|
Prohibited
|
Currently unsupported
|
|
sys_net_config
|
Prohibited
|
Currently unsupported
|
|
sys_res_config
|
Prohibited
|
Currently unsupported
|
|
sys_suser_compat
|
Prohibited
|
Currently unsupported
|
|
proc_exec
|
Required, Default
|
Used to start init(1M)
|
|
proc_fork
|
Required, Default
|
Used to start init(1M)
|
|
sys_mount
|
Required, Default
|
Needed to mount required file systems
|
|
sys_ip_config
|
Required, Default in exclusive-IP zones
Prohibited in shared-IP zones
|
Required to boot zone and initialize IP networking in exclusive-IP zone
|
|
contract_event
|
Default
|
Used by contract file system
|
|
contract_observer
|
Default
|
Contract observation regardless of UID
|
|
file_chown
|
Default
|
File ownership changes
|
|
file_chown_self
|
Default
|
Owner/group changes for own files
|
|
file_dac_execute
|
Default
|
Execute access regardless of mode/ACL
|
|
file_dac_read
|
Default
|
Read access regardless of mode/ACL
|
|
file_dac_search
|
Default
|
Search access regardless of mode/ACL
|
|
file_dac_write
|
Default
|
Write access regardless of mode/ACL
|
|
file_link_any
|
Default
|
Link access regardless of owner
|
|
file_owner
|
Default
|
Other access regardless of owner
|
|
file_setid
|
Default
|
Permission changes for setid, setgid, setuid files
|
|
ipc_dac_read
|
Default
|
IPC read access regardless of mode
|
|
ipc_dac_owner
|
Default
|
IPC write access regardless of mode
|
|
ipc_owner
|
Default
|
IPC other access regardless of mode
|
|
net_icmpaccess
|
Default
|
ICMP packet access: ping(1M)
|
|
net_privaddr
|
Default
|
Binding to privileged ports
|
|
proc_audit
|
Default
|
Generation of audit records
|
|
proc_chroot
|
Default
|
Changing of root directory
|
|
proc_info
|
Default
|
Process examination
|
|
proc_lock_memory
|
Default
|
Locking memory; shmctl(2)and mlock(3C)
If this privilege is assigned to a non-global zone by the system administrator,
consider also setting the zone.max-locked-memory resource
control to prevent the zone from locking all memory.
|
|
proc_owner
|
Default
|
Process control regardless of owner
|
|
proc_session
|
Default
|
Process control regardless of session
|
|
proc_setid
|
Default
|
Setting of user/group IDs at will
|
|
proc_taskid
|
Default
|
Assigning of task IDs to caller
|
|
sys_acct
|
Default
|
Management of accounting
|
|
sys_admin
|
Default
|
Simple system administration tasks
|
|
sys_audit
|
Default
|
Management of auditing
|
|
sys_nfs
|
Default
|
NFS client support
|
|
sys_resource
|
Default
|
Resource limit manipulation
|
The following table lists all of the Solaris Trusted Extensions privileges
and the status of each privilege with respect to zones. Optional privileges
are not part of the default set of privileges but can be specified through
the limitpriv property.
Note - These privileges are interpreted only if the system is configured
with Solaris Trusted Extensions.
Table 26.2 Status of Solaris Trusted Extensions
Privileges in Zones
|
Solaris Trusted Extensions Privilege
|
Status
|
Notes
|
|
sys_trans_label
|
Optional
|
Translate labels not dominated by sensitivity label
|
|
win_colormap
|
Optional
|
Colormap restrictions override
|
|
win_config
|
Optional
|
Configure or destroy resources that are permanently retained by the
X server
|
|
win_dac_read
|
Optional
|
Read from window resource not owned by client's user ID
|
|
win_dac_write
|
Optional
|
Write to or create window resource not owned by client's user ID
|
|
win_devices
|
Optional
|
Perform operations on input devices.
|
|
win_dga
|
Optional
|
Use direct graphics access X protocol extensions; frame buffer privileges
needed
|
|
win_downgrade_sl
|
Optional
|
Change sensitivity label of window resource to new label dominated by
existing label
|
|
win_fontpath
|
Optional
|
Add an additional font path
|
|
win_mac_read
|
Optional
|
Read from window resource with a label that dominates the client's label
|
|
win_mac_write
|
Optional
|
Write to window resource with a label not equal to the client's label
|
|
win_selection
|
Optional
|
Request data moves without confirmer intervention
|
|
win_upgrade_sl
|
Optional
|
Change sensitivity label of window resource to a new label not dominated
by existing label
|
|
net_bindmlp
|
Default
|
Allows binding to a multilevel port (MLP)
|
|
net_mac_aware
|
Default
|
Allows reading down via NFS
|
Configuring Zone root with a ZFS boot file system.
This procedure enables zones to be patched or updated when installed on a bootable ZFS file system.
Create a ZFS dataset for the zone roots.
ultra20:/> zfs create -o canmount=noauto rpool/ROOT/09.03.22/zones
ultra20:/> zfs mount rpool/ROOT/09.03.22/zones
09.03.22 is the boot environment that is currently active, the noauto value to the canmount property prevents the dataset from being mounted other than by the explicit action of Solaris Live Upgrade and zoneadmd
Create a root file system for a new zone.
ultra20:/> zfs create -o canmount=noauto rpool/ROOT/09.03.22/zones/zone1
ultra20:/> zfs mount rpool/ROOT/09.03.22/zones/zone1
ultra20:/> chmod 700 /zones/zone1
ultra20:/> zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 11.6G 134G 39K /rpool
rpool/ROOT 8.58G 134G 18K legacy
rpool/ROOT/09.03.22 8.58G 134G 6.37G /
rpool/ROOT/09.03.22@09.03.23 139M - 6.50G -
rpool/ROOT/09.03.22/export 18K 134G 18K /export
rpool/ROOT/09.03.22/zones 2.07G 134G 22K /zones
rpool/ROOT/09.03.22/zones/zone1 1.04G 134G 1.04G /zones/zone1
...
Create the zone
ultra20:/> zonecfg -z zone1
zone1: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:zone1> create
zonecfg:zone1> set zonepath=/zones/zone1
...
ultra20:/> zoneadm -z zone1 install
ultra20:/> zoneadm -z zone1 boot
Using the format command's modify sub-command.
chaos:/> format -e
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c0d0
/pci@0,0/pci-ide@5/ide@0/cmdk@0,0
1. c1d0
/pci@0,0/pci-ide@5/ide@1/cmdk@0,0
Specify disk (enter its number): 1
selecting c1d0
Controller working list found
[disk formatted, defect list found]
FORMAT MENU:
disk - select a disk
type - select (define) a disk type
partition - select (define) a partition table
current - describe the current disk
format - format and analyze the disk
repair - repair a defective sector
label - write label to the disk
analyze - surface analysis
defect - defect list management
backup - search for backup labels
verify - read and display labels
inquiry - show vendor, product and revision
scsi - independent SCSI mode selects
cache - enable, disable or query SCSI disk cache
volname - set 8-character volume name
! - execute , then return
quit
format>
Check the label first, the disk may have been used in a ZFS configuration:
format> l
[0] SMI Label
[1] EFI Label
Specify Label type[1]:
In the above case the disk needs to have the label changed.
The following shows how to chaange the label to SMI:
(except the defaults for the last two questions by pressing enter)
Specify Label type[1]: 0
Warning: This disk has an EFI label. Changing to SMI label will erase all
current partitions.
Continue? y
Auto configuration via format.dat[no]?
Auto configuration via generic SCSI-2[no]?
format>
The following is a example of a disk with the correct label:
(press control and c to about label operation)
format> l
[0] SMI Label
[1] EFI Label
Specify Label type[0]: ^C
format>
Select the partition menu:
format> p
PARTITION MENU:
0 - change `0' partition
1 - change `1' partition
2 - change `2' partition
3 - change `3' partition
4 - change `4' partition
5 - change `5' partition
6 - change `6' partition
7 - change `7' partition
select - select a predefined table
modify - modify a predefined partition table
name - name the current table
print - display the current table
label - write partition map and label to the disk
! - execute , then return
quit
Select the modify sub-command:
partition> m
Select partitioning base:
0. Current partition table (original)
1. All Free Hog
Choose base (enter number) [0]?
Choose "All Free Hog":
Choose base (enter number) [0]? 1
Part Tag Flag Cylinders Size Blocks
0 root wm 0 0 (0/0/0) 0
1 swap wu 0 0 (0/0/0) 0
2 backup wu 0 - 30396 232.85GB (30397/0/0) 488327805
3 unassigned wm 0 0 (0/0/0) 0
4 unassigned wm 0 0 (0/0/0) 0
5 unassigned wm 0 0 (0/0/0) 0
6 usr wm 0 0 (0/0/0) 0
7 unassigned wm 0 0 (0/0/0) 0
8 boot wu 0 - 0 7.84MB (1/0/0) 16065
9 alternates wm 1 - 2 15.69MB (2/0/0) 32130
Do you wish to continue creating a new partition
table based on above table[yes]?
Press enter to except the default answers for the next questions:
Do you wish to continue creating a new partition
table based on above table[yes]?
Free Hog partition[6]?
Enter the partion sizes:
Enter size of partition '0' [0b, 0c, 0.00mb, 0.00gb]: 2g
Enter size of partition '1' [0b, 0c, 0.00mb, 0.00gb]: 2g
Enter size of partition '3' [0b, 0c, 0.00mb, 0.00gb]: 6g
Enter size of partition '4' [0b, 0c, 0.00mb, 0.00gb]: 6g
Enter size of partition '5' [0b, 0c, 0.00mb, 0.00gb]: 6g
Enter size of partition '7' [0b, 0c, 0.00mb, 0.00gb]: 6g
Part Tag Flag Cylinders Size Blocks
0 root wm 3 - 264 2.01GB (262/0/0) 4209030
1 swap wu 265 - 526 2.01GB (262/0/0) 4209030
2 backup wu 0 - 30396 232.85GB (30397/0/0) 488327805
3 unassigned wm 527 - 1310 6.01GB (784/0/0) 12594960
4 unassigned wm 1311 - 2094 6.01GB (784/0/0) 12594960
5 unassigned wm 2095 - 2878 6.01GB (784/0/0) 12594960
6 usr wm 2879 - 29612 204.79GB (26734/0/0) 429481710
7 unassigned wm 29613 - 30396 6.01GB (784/0/0) 12594960
8 boot wu 0 - 0 7.84MB (1/0/0) 16065
9 alternates wm 1 - 2 15.69MB (2/0/0) 32130
Okay to make this the current partition table[yes]?
Press enter to except the default for the first prompt,
enter a string for the table name, no spaces,
press y to to label the disk.
Press control and d to exit format.
Okay to make this the current partition table[yes]?
Enter table name (remember quotes): test
Ready to label disk, continue? y
partition> ^D