Snoop Zoney Zone
By Jeff Victor on Oct 30, 2006
Ever been frustrated by the inability to snoop network traffic from within your Solaris Zones? Good news: Solaris 10 11/06 adds "configurable privileges" - the ability to modify the security boundary around one or more zones. How can this help you?
First some background: part of the implementation of a zone's security boundary is the lack of certain Solaris Privileges(5) - privileges that, in the wrong hands, could be used to affect other zones or even the entire system. One simple example is the SYS_TIME privilege, which allows the user to change the system clock that is used by all zones.
In the first release of Solaris 10 (in March, 2005) those privileges were not allowed in a zone. Even the root user of a non-global zone could not gain those privileges. This was a Good Thing, as you would not want one zone to change the system clock, for example.
However, since the debut of Solaris 10, we have investigated the implications of adding those 'prohibited' privileges into specific zones. Solaris 10 11/06 allows many of those privileges to be added to the default set of privileges that are permitted in a zone. Adding privileges must be performed the global zone administrator by using zonecfg(1M). While adding this functionality, we also added the ability to remove privileges from a zone's limit set.
Of course, adding functionality may also add security risks, and this is true for "configurable privileges." Adding a privilege to a zone's limit set may have unintended consequences. It is crucial to understand the implications of a adding a privilege to a zone before actually doing so.
A comprehensive analysis of new possibilities would be a significant undertaking, but in this blog entry and a few others, I hope to provide some guidance on this topic. I'll start with the new ability to snoop network traffic from within a zone. Keep in mind that this includes all traffic on the network interface(s), including traffic for other zones, including the global zone. Adding net_rawaccess also allows the zone to do other nefarious things. Use this privilege, and others, with caution.
To allow a zone to snoop network traffic, you must add two directives to the zone's configuration, and then [re]boot the zone:
global# zonecfg -z twilight <zonecfg:twilight> set limitpriv="default,net_rawaccess" <zonecfg:twilight> add device <zonecfg:twilight> set match=/dev/e1000g0 <zonecfg:twilight> end <zonecfg:twilight> exit global#
After booting the zone, the root user can snoop that network interface, and see all traffic on that NIC.
Finally, note that the set of privileges and the rules regarding their use may change in the future. For example, Project Crossbow will significantly change the way that zones use IP networks.