Information Technology Reference
In-Depth Information
privileges that a Container has cannot be escalated from within the Container.
1
At
the same time, processes with sufficient privileges, running in the global zone, can
interact with processes and other types of objects in Containers. This type of in-
teraction is necessary for the global zone to manage Containers. For example, the
root user in the global zone must be able to diagnose a performance issue caused
by a process in one Container. It can use DTrace to accomplish this task because
privileged processes in the global zone can interact with processes in Containers
in certain ways.
Also, nonprivileged users in the global zone can perform some operations that
are commonplace on UNIX systems, but that are unavailable to nonprivileged
users in a Container. A simple example is the ability to list all processes running
on the system, whether they are running in Containers or not. For some systems,
this capability is another reason to prevent user access to the global zone.
The isolation of Containers is very thorough in Oracle Solaris. The Containers
feature set is the basis for the Solaris Trusted Extensions feature set, and the
capabilities of Solaris Trusted Extensions are appropriate for systems that must
compartmentalize data. Solaris 10 11/06 with Solaris Trusted Extensions achieved
Common Criteria Certification for the Labeled Security Protection Profile (LSPP)
at Evaluation Assurance Level (EAL) 4+, the highest commonly recognized
global security certification. This certification allows Solaris 10 to be deployed
when multi-level security (MLS) protection and independent validation of an
OS security model is required. Solaris 10 achieved this certification for SPARC
and x86-based systems, for both desktop and server functionality, and also re-
ceived Common Criteria Certification for the Controlled Access Protection Profile
(CAPP) and Role-Based Access Control Protection Profile (RBACPP).
The isolation of Containers is implemented in the Oracle Solaris kernel. As
described earlier, this isolation is somewhat configurable, enabling the global zone
administrator to customize the security of a Container. By default, the security
boundary around a Container is very robust. This boundary can be further hard-
ened by removing privileges from the Container, which effectively prevents the
Container from using specific features of Solaris. The boundary can be selectively
enlarged by enabling the Container to perform specific operations such as setting
the system time clock.
The entire list of privileges appears on the
privileges
(5)
man
page. Table 6.1
shows the privileges that are most commonly used to customize a Container's se-
curity boundary. The third column indicates whether the privilege is in the default
privilege set for Containers. Note that nondefault settings described elsewhere,
such as
ip-type=exclusive
, change the list of privileges automatically.
1.
For more details on Solaris privileges, see the topic
Solaris Security Essentials
or
Solaris 10 System
Administration Guide: Security Services,
which can be obtained at
http://docs.sun.com/app/docs/
Search WWH ::
Custom Search