Giving a Zone "More Power"

In addition to the traditional virtualization benefits that Solaris zones offer, applications running in zones are also running in a more secure environment. One way to quantify this is compare the privileges available to the global zone with those of a local zone.

For example, there a 82 distinct privileges available to the global zone:

bleonard@solaris:~$ ppriv -l | wc -l 
82

You can view the descriptions for each of those privileges as follows:

bleonard@solaris:~$ ppriv -lv
contract_event
	Allows a process to request critical events without limitation.
	Allows a process to request reliable delivery of all events on
	any event queue.
contract_identity
	Allows a process to set the service FMRI value of a process
	contract template.
...

Or for just one or more privileges:

bleonard@solaris:~$ ppriv -lv file_dac_read file_dac_write
file_dac_read
	Allows a process to read a file or directory whose permission
	bits or ACL do not allow the process read permission.
file_dac_write
	Allows a process to write a file or directory whose permission
	bits or ACL do not allow the process write permission.
	In order to write files owned by uid 0 in the absence of an
	effective uid of 0 ALL privileges are required.

However, in a non-global zone, only 43 of the 83 privileges are available by default:

root@myzone:~# ppriv -l zone | wc -l      
43

The missing privileges are:

cpc_cpu
dtrace_kernel
dtrace_proc
dtrace_user
file_downgrade_sl
file_flag_set
file_upgrade_sl
graphics_access
graphics_map
net_mac_implicit
proc_clock_highres
proc_priocntl
proc_zone
sys_config
sys_devices
sys_ipc_config
sys_linkdir
sys_dl_config
sys_net_config
sys_res_bind
sys_res_config
sys_smb
sys_suser_compat
sys_time
sys_trans_label
virt_manage
win_colormap
win_config
win_dac_read
win_dac_write
win_devices
win_dga
win_downgrade_sl
win_fontpath
win_mac_read
win_mac_write
win_selection
win_upgrade_sl
xvm_control

However, just like Tim Taylor, it is possible to give your zones more power. For example, a zone by default doesn't have the privileges to support DTrace:

root@myzone:~# dtrace -l
   ID   PROVIDER            MODULE                          FUNCTION NAME

The DTrace privileges can be added, however, as follows:

bleonard@solaris:~$ sudo zonecfg -z myzone
Password:
zonecfg:myzone> set limitpriv="default,dtrace_proc,dtrace_user"
zonecfg:myzone> verify
zonecfg:myzone> exit
bleonard@solaris:~$ sudo zoneadm -z myzone reboot

Now I can run DTrace from within the zone:

root@myzone:~# dtrace -l | more
   ID   PROVIDER            MODULE                          FUNCTION NAME
    1     dtrace                                                     BEGIN
    2     dtrace                                                     END
    3     dtrace                                                     ERROR
 7115    syscall                                               nosys entry
 7116    syscall                                               nosys return
...

Note, certain privileges are never allowed to be assigned to a zone. You'll be notified on boot if you attempt to assign a prohibited privilege to a zone:

bleonard@solaris:~$ sudo zoneadm -z myzone reboot
privilege "dtrace_kernel" is not permitted within the zone's privilege set
zoneadm: zone myzone failed to verify

Here's a nice listing of all the privileges and their zone status (default, optional, prohibited): Privileges in a Non-Global Zone.

Comments:

Hello

Just came across you blog via c0t0d0s0.org. Some great post here.

Will be checking in more often.

Cheers

Stu

Posted by guest on June 24, 2011 at 12:40 PM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.

Connect with Oracle Solaris:


Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today