Giving a Zone "More Power"
- by Brian Leonard
In addition to the traditional virtualization benefits that Solaris zones offer, applications running in zones are also running in a more secure environment. One way to quantify this is compare the privileges available to the global zone with those of a local zone.
For example, there a 82 distinct privileges available to the global zone:
bleonard@solaris:~$ ppriv -l | wc -l
82
You can view the descriptions for each of those privileges as follows:
bleonard@solaris:~$ ppriv -lv
contract_event
Allows a process to request critical events without limitation.
Allows a process to request reliable delivery of all events on
any event queue.
contract_identity
Allows a process to set the service FMRI value of a process
contract template.
...
Or for just one or more privileges:
bleonard@solaris:~$ ppriv -lv file_dac_read file_dac_write
file_dac_read
Allows a process to read a file or directory whose permission
bits or ACL do not allow the process read permission.
file_dac_write
Allows a process to write a file or directory whose permission
bits or ACL do not allow the process write permission.
In order to write files owned by uid 0 in the absence of an
effective uid of 0 ALL privileges are required.
However, in a non-global zone, only 43 of the 83 privileges are available by default:
root@myzone:~# ppriv -l zone | wc -l
43
The missing privileges are:
cpc_cpu
dtrace_kernel
dtrace_proc
dtrace_user
file_downgrade_sl
file_flag_set
file_upgrade_sl
graphics_access
graphics_map
net_mac_implicit
proc_clock_highres
proc_priocntl
proc_zone
sys_config
sys_devices
sys_ipc_config
sys_linkdir
sys_dl_config
sys_net_config
sys_res_bind
sys_res_config
sys_smb
sys_suser_compat
sys_time
sys_trans_label
virt_manage
win_colormap
win_config
win_dac_read
win_dac_write
win_devices
win_dga
win_downgrade_sl
win_fontpath
win_mac_read
win_mac_write
win_selection
win_upgrade_sl
xvm_control
However, just like Tim Taylor, it is possible to give your zones more power. For example, a zone by default doesn't have the privileges to support DTrace:
root@myzone:~# dtrace -l
ID PROVIDER MODULE FUNCTION NAME
The DTrace privileges can be added, however, as follows:
bleonard@solaris:~$ sudo zonecfg -z myzone
Password:
zonecfg:myzone> set limitpriv="default,dtrace_proc,dtrace_user"
zonecfg:myzone> verify
zonecfg:myzone> exit
bleonard@solaris:~$ sudo zoneadm -z myzone reboot
Now I can run DTrace from within the zone:
root@myzone:~# dtrace -l | more
ID PROVIDER MODULE FUNCTION NAME
1 dtrace BEGIN
2 dtrace END
3 dtrace ERROR
7115 syscall nosys entry
7116 syscall nosys return
...
Note, certain privileges are never allowed to be assigned to a zone. You'll be notified on boot if you attempt to assign a prohibited privilege to a zone:
bleonard@solaris:~$ sudo zoneadm -z myzone reboot
privilege "dtrace_kernel" is not permitted within the zone's privilege set
zoneadm: zone myzone failed to verify
Here's a nice listing of all the privileges and their zone status (default, optional, prohibited): Privileges in a Non-Global Zone.