Information Technology Reference
In-Depth Information
Table 6.1
Privileges for Containers
Privilege
The privilege gives a process the ability to . . .
Default?
Use DTrace process-level tracing
No
dtrace_proc
Use DTrace user-level tracing
No
dtrace_user
Send and receive ICMP packets
Yes
net_icmpaccess
Bind to privileged ports
Yes
net_privaddr
Have raw network access, which is necessary to use snoop
No
net_rawaccess
Allow the use of high-resolution timers
No
proc_clock_highres
Examine
/proc
for other processes in the same Container
Yes
proc_info
Lock pages in physical memory
Yes
proc_lock_memory
See and modify other process states
Yes
proc_owner
Increase your priority or modify your scheduling class
No
proc_priocntl
Send signals or trace processes outside your session
Yes
proc_session
Enable, disable, and manage accounting via
acct
(2)
Yes
sys_acct
Set
nodename
,
domainname
, and
nscd
settings; use
coreadm
(1M)
Yes
sys_admin
Start the audit daemon
Yes
sys_audit
Increase the size of the System V IPC message queue buffer
No
sys_ipc_config
Configure a system's NICs, routes, and other network features (a
privilege automatically given to exclusive-IP Containers)
No
sys_ip_config
Exceed the resource limits of
setrlimit
(2) and
setctl
(2)
Yes
sys_resource
Change the system time clock via
stime
(2),
adjtime
(2), and
ntp_adjtime
(2)
No
sys_time
Whereas some privileges can be added to a Container, other privileges can
never
be added to a Container. These privileges control hardware components directly
(e.g., turning a CPU off or controlling access to kernel data). The latter action
is prevented to prohibit one Container from examining or modifying data about
another Container. Table 6.2 lists these privileges.
Table 6.2
Privileges Not Allowed in Containers
Privilege
The privilege gives a process the ability to . . .
Use DTrace kernel-level tracing
dtrace_kernel
Signal or trace processes in other zones
proc_zone
Perform file system-specific operations, quota calls, and creation and deletion
of snapshots
sys_config
Create device special files; override device restrictions
sys_devices
Search WWH ::
Custom Search