Privileges in a Non-Global Zone

Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available from within a given zone, use the ppriv utility.

The following table lists all of the Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.

Table 26-1 Status of Privileges in Zones

Privilege	Status	Notes
`cpc_cpu`	Optional	Access to certain `cpc`(3CPC) counters
`dtrace_proc`	Optional	`fasttrap` and `pid` providers; `plockstat`(1M)
`dtrace_user`	Optional	`profile` and `syscall` providers
`gart_access`	Optional	`ioctl`(2) access to `agpgart_io`(7I)
`gart_map`	Optional	`mmap`(2) access to `agpgart_io`(7I)
`net_rawaccess`	Optional in shared-IP zones. Default in exclusive-IP zones.	Raw `PF_INET/PF_INET6` packet access
`proc_clock_highres`	Optional	Use of high resolution timers
`proc_priocntl`	Optional	Scheduling control; `priocntl`(1)
`sys_ipc_config`	Optional	Raising IPC message queue buffer size
`sys_time`	Optional	System time manipulation; `xntp`(1M)
`dtrace_kernel`	Prohibited	Currently unsupported
`proc_zone`	Prohibited	Currently unsupported
`sys_config`	Prohibited	Currently unsupported
`sys_devices`	Prohibited	Currently unsupported
`sys_linkdir`	Prohibited	Currently unsupported
`sys_net_config`	Prohibited	Currently unsupported
`sys_res_config`	Prohibited	Currently unsupported
`sys_suser_compat`	Prohibited	Currently unsupported
`proc_exec`	Required, Default	Used to start `init`(1M)
`proc_fork`	Required, Default	Used to start `init`(1M)
`sys_mount`	Required, Default	Needed to mount required file systems
`sys_ip_config`	Required, Default in exclusive-IP zones Prohibited in shared-IP zones	Required to boot zone and initialize IP networking in exclusive-IP zone
`contract_event`	Default	Used by contract file system
`contract_observer`	Default	Contract observation regardless of UID
`file_chown`	Default	File ownership changes
`file_chown_self`	Default	Owner/group changes for own files
`file_dac_execute`	Default	Execute access regardless of mode/ACL
`file_dac_read`	Default	Read access regardless of mode/ACL
`file_dac_search`	Default	Search access regardless of mode/ACL
`file_dac_write`	Default	Write access regardless of mode/ACL
`file_link_any`	Default	Link access regardless of owner
`file_owner`	Default	Other access regardless of owner
`file_setid`	Default	Permission changes for `setid`, `setgid`, `setuid` files
`ipc_dac_read`	Default	IPC read access regardless of mode
`ipc_dac_owner`	Default	IPC write access regardless of mode
`ipc_owner`	Default	IPC other access regardless of mode
`net_icmpaccess`	Default	ICMP packet access: `ping`(1M)
`net_privaddr`	Default	Binding to privileged ports
`proc_audit`	Default	Generation of audit records
`proc_chroot`	Default	Changing of `root` directory
`proc_info`	Default	Process examination
`proc_lock_memory`	Default	Locking memory; `shmctl`(2)and `mlock`(3C) If this privilege is assigned to a non-global zone by the system administrator, consider also setting the `zone.max-locked-memory` resource control to prevent the zone from locking all memory.
`proc_owner`	Default	Process control regardless of owner
`proc_session`	Default	Process control regardless of session
`proc_setid`	Default	Setting of user/group IDs at will
`proc_taskid`	Default	Assigning of task IDs to caller
`sys_acct`	Default	Management of accounting
`sys_admin`	Default	Simple system administration tasks
`sys_audit`	Default	Management of auditing
`sys_nfs`	Default	NFS client support
`sys_resource`	Default	Resource limit manipulation

The following table lists all of the Solaris Trusted Extensions privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.

Note - Trusted Solaris privileges are interpreted only if the system is configured with Trusted Extensions.

Table 26-2 Status of Solaris Trusted Extensions Privileges in Zones

Solaris Trusted Extensions Privilege	Status	Notes
`sys_trans_label`	Optional	Translate labels not dominated by sensitivity label
`win_colormap`	Optional	Colormap restrictions override
`win_config`	Optional	Configure or destroy resources that are permanently retained by the X server
`win_dac_read`	Optional	Read from window resource not owned by client's user ID
`win_dac_write`	Optional	Write to or create window resource not owned by client's user ID
`win_devices`	Optional	Perform operations on input devices.
`win_dga`	Optional	Use direct graphics access X protocol extensions; frame buffer privileges needed
`win_downgrade_sl`	Optional	Change sensitivity label of window resource to new label dominated by existing label
`win_fontpath`	Optional	Add an additional font path
`win_mac_read`	Optional	Read from window resource with a label that dominates the client's label
`win_mac_write`	Optional	Write to window resource with a label not equal to the client's label
`win_selection`	Optional	Request data moves without confirmer intervention
`win_upgrade_sl`	Optional	Change sensitivity label of window resource to a new label not dominated by existing label
`net_bindmlp`	Default	Allows binding to a multilevel port (MLP)
`net_mac_aware`	Default	Allows reading down through NFS

To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone

To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.