Giving a Zone "More Power"

Posted by Brian Leonard on Oracle Blogs See other posts from Oracle Blogs or by Brian Leonard
Published on Thu, 23 Jun 2011 06:46:10 -0700 Indexed on 2011/06/23 16:27 UTC
Read the original article Hit count: 382

Filed under:

In addition to the traditional virtualization benefits that Solaris zones offer, applications running in zones are also running in a more secure environment. One way to quantify this is compare the privileges available to the global zone with those of a local zone.

For example, there a 82 distinct privileges available to the global zone:

bleonard@solaris:~$ ppriv -l | wc -l 
82

You can view the descriptions for each of those privileges as follows:

bleonard@solaris:~$ ppriv -lv
contract_event
	Allows a process to request critical events without limitation.
	Allows a process to request reliable delivery of all events on
	any event queue.
contract_identity
	Allows a process to set the service FMRI value of a process
	contract template.
...

Or for just one or more privileges:

bleonard@solaris:~$ ppriv -lv file_dac_read file_dac_write
file_dac_read
	Allows a process to read a file or directory whose permission
	bits or ACL do not allow the process read permission.
file_dac_write
	Allows a process to write a file or directory whose permission
	bits or ACL do not allow the process write permission.
	In order to write files owned by uid 0 in the absence of an
	effective uid of 0 ALL privileges are required.

However, in a non-global zone, only 43 of the 83 privileges are available by default:

root@myzone:~# ppriv -l zone | wc -l      
43

The missing privileges are:

cpc_cpu
dtrace_kernel
dtrace_proc
dtrace_user
file_downgrade_sl
file_flag_set
file_upgrade_sl
graphics_access
graphics_map
net_mac_implicit
proc_clock_highres
proc_priocntl
proc_zone
sys_config
sys_devices
sys_ipc_config
sys_linkdir
sys_dl_config
sys_net_config
sys_res_bind
sys_res_config
sys_smb
sys_suser_compat
sys_time
sys_trans_label
virt_manage
win_colormap
win_config
win_dac_read
win_dac_write
win_devices
win_dga
win_downgrade_sl
win_fontpath
win_mac_read
win_mac_write
win_selection
win_upgrade_sl
xvm_control

However, just like Tim Taylor, it is possible to give your zones more power. For example, a zone by default doesn't have the privileges to support DTrace:

root@myzone:~# dtrace -l
   ID   PROVIDER            MODULE                          FUNCTION NAME

The DTrace privileges can be added, however, as follows:

bleonard@solaris:~$ sudo zonecfg -z myzone
Password:
zonecfg:myzone> set limitpriv="default,dtrace_proc,dtrace_user"
zonecfg:myzone> verify
zonecfg:myzone> exit
bleonard@solaris:~$ sudo zoneadm -z myzone reboot

Now I can run DTrace from within the zone:

root@myzone:~# dtrace -l | more
   ID   PROVIDER            MODULE                          FUNCTION NAME
    1     dtrace                                                     BEGIN
    2     dtrace                                                     END
    3     dtrace                                                     ERROR
 7115    syscall                                               nosys entry
 7116    syscall                                               nosys return
...

Note, certain privileges are never allowed to be assigned to a zone. You'll be notified on boot if you attempt to assign a prohibited privilege to a zone:

bleonard@solaris:~$ sudo zoneadm -z myzone reboot
privilege "dtrace_kernel" is not permitted within the zone's privilege set
zoneadm: zone myzone failed to verify

Here's a nice listing of all the privileges and their zone status (default, optional, prohibited): Privileges in a Non-Global Zone.

© Oracle Blogs or respective owner

Related posts about /Solaris