crossbow discuss - Jun 2007 - IP Instances, default privileges

Zones marked "set ip-type=exclusive" automatically get the privilege 
sys_ip_config added to the default limit set.  If I have customized a
zone''s
limit set, and *then* mark it exclusive-IP, will the sys_ip_config priv be 
added to the customized list, or will the list be replaced with the default 
set plus sys_ip_config?

-- 
--------------------------------------------------------------------------
Jeff VICTOR              Sun Microsystems            jeff.victor @ sun.com
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ:    http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------

Jeff Victor wrote:
> Zones marked "set ip-type=exclusive" automatically get the
privilege
> sys_ip_config added to the default limit set.  If I have customized a 
> zone''s limit set, and *then* mark it exclusive-IP, will the 
> sys_ip_config priv be added to the customized list, or will the list 
> be replaced with the default set plus sys_ip_config?
>
Setting the exclusive ip-type  just adds net_rawaccess and sys_ip_config 
to the ''default'' set.

If you have customized the zone''s limit set by adding privileges to the
''default'' set, then setting
ip-stack=exclusive later will just add net_rawaccess and sys_ip_config 
to the new ''L'' set.

If you have reduced the ''default'', then set
ip-stack=exclusive, the zone
fails to verify and boot:

# zoneadm -z z-b2 boot
required privilege "sys_ip_config" is missing from the zone''s
privilege set
zoneadm: zone z-b2 failed to verify

Now, it you try to manually add "sys_ip_config" from zonecfg, then 
you''ll see the following failure:

#  zoneadm -z z-b2 boot
privilege "sys_ip_config" is not permitted within the zone''s
privilege set
zoneadm: zone z-b2 failed to verify

Please go ahead and file bug.


Thanks,

    Kais.

Could you please give more information, like the output of zonecfg info
and the steps you used?

Best,

Donghai.

Kais Belgaied Wrote:
> Jeff Victor wrote:
> 
>> Zones marked "set ip-type=exclusive" automatically get the
privilege
>> sys_ip_config added to the default limit set.  If I have customized a 
>> zone''s limit set, and *then* mark it exclusive-IP, will the 
>> sys_ip_config priv be added to the customized list, or will the list 
>> be replaced with the default set plus sys_ip_config?
>>
> 
> Setting the exclusive ip-type  just adds net_rawaccess and sys_ip_config 
> to the ''default'' set.
> 
> If you have customized the zone''s limit set by adding privileges
to the
> ''default'' set, then setting
> ip-stack=exclusive later will just add net_rawaccess and sys_ip_config 
> to the new ''L'' set.
> 
> If you have reduced the ''default'', then set
ip-stack=exclusive, the zone
> fails to verify and boot:
> 
> # zoneadm -z z-b2 boot
> required privilege "sys_ip_config" is missing from the
zone''s privilege set
> zoneadm: zone z-b2 failed to verify
> 
> Now, it you try to manually add "sys_ip_config" from zonecfg,
then
> you''ll see the following failure:
> 
> #  zoneadm -z z-b2 boot
> privilege "sys_ip_config" is not permitted within the
zone''s privilege set
> zoneadm: zone z-b2 failed to verify
> 
> Please go ahead and file bug.
> 
> 
> Thanks,
> 
>     Kais.
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://opensolaris.org/mailman/listinfo/crossbow-discuss

the steps are what Jeff described:
. create a zone with a shared stack
. set the limitpriv to 
"basic,contract_event,contract_observer,file_chown,file_chown_self,fil
e_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid
,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_l
ock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mo
unt,sys_nfs,sys_resource"

(the default minus some privs)

. set the ip-type to exclusive

. attempt a boot

zone z-b2 on data1.sfbay is sitting in that state if you wanna take a look.

bash-3.00# zonecfg -z z-b2 info
zonename: z-b2
zonepath: /opt/z-b2
brand: native
autoboot: false
bootargs:
pool:
limitpriv: 
basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mount,sys_nfs,sys_resource,sys_ip_config
scheduling-class:
ip-type: shared
inherit-pkg-dir:
        dir: /usr
inherit-pkg-dir:
        dir: /lib
inherit-pkg-dir:
        dir: /opt

    Kais.

Dong-Hai Han wrote:
> Could you please give more information, like the output of zonecfg info
> and the steps you used?
>
> Best,
>
> Donghai.
>
> Kais Belgaied Wrote:
>
>> Jeff Victor wrote:
>>
>>> Zones marked "set ip-type=exclusive" automatically get
the privilege
>>> sys_ip_config added to the default limit set.  If I have customized
>>> a zone''s limit set, and *then* mark it exclusive-IP, will
the
>>> sys_ip_config priv be added to the customized list, or will the
list
>>> be replaced with the default set plus sys_ip_config?
>>>
>>
>> Setting the exclusive ip-type  just adds net_rawaccess and 
>> sys_ip_config to the ''default'' set.
>>
>> If you have customized the zone''s limit set by adding
privileges to
>> the ''default'' set, then setting
>> ip-stack=exclusive later will just add net_rawaccess and 
>> sys_ip_config to the new ''L'' set.
>>
>> If you have reduced the ''default'', then set
ip-stack=exclusive, the
>> zone fails to verify and boot:
>>
>> # zoneadm -z z-b2 boot
>> required privilege "sys_ip_config" is missing from the
zone''s
>> privilege set
>> zoneadm: zone z-b2 failed to verify
>>
>> Now, it you try to manually add "sys_ip_config" from zonecfg,
then
>> you''ll see the following failure:
>>
>> #  zoneadm -z z-b2 boot
>> privilege "sys_ip_config" is not permitted within the
zone''s
>> privilege set
>> zoneadm: zone z-b2 failed to verify
>>
>> Please go ahead and file bug.
>>
>>
>> Thanks,
>>
>>     Kais.
>> _______________________________________________
>> crossbow-discuss mailing list
>> crossbow-discuss at opensolaris.org
>> http://opensolaris.org/mailman/listinfo/crossbow-discuss
>
>
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://opensolaris.org/mailman/listinfo/crossbow-discuss

Hello, Kais,

Thanks for the info, the output of zonecfg shows that it''s ip-type is
shared, that''s why it cannot have sys_ip_config, it''s by
design. Looks
like you changed ip-type in-between your tests.

Best,

Donghai.

Kais Belgaied Wrote:
> the steps are what Jeff described:
> . create a zone with a shared stack
> . set the limitpriv to 
> "basic,contract_event,contract_observer,file_chown,file_chown_self,fil
>
e_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid
> 
>
,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_l
> 
>
ock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mo
> 
> unt,sys_nfs,sys_resource"
> 
> (the default minus some privs)
> 
> . set the ip-type to exclusive
> 
> . attempt a boot
> 
> zone z-b2 on data1.sfbay is sitting in that state if you wanna take a look.
> 
> bash-3.00# zonecfg -z z-b2 info
> zonename: z-b2
> zonepath: /opt/z-b2
> brand: native
> autoboot: false
> bootargs:
> pool:
> limitpriv: 
>
basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mount,sys_nfs,sys_resource,sys_ip_config
> 
> scheduling-class:
> ip-type: shared
> inherit-pkg-dir:
>         dir: /usr
> inherit-pkg-dir:
>         dir: /lib
> inherit-pkg-dir:
>         dir: /opt
> 
>     Kais.
> 
> Dong-Hai Han wrote:
> 
>> Could you please give more information, like the output of zonecfg info
>> and the steps you used?
>>
>> Best,
>>
>> Donghai.
>>
>> Kais Belgaied Wrote:
>>
>>> Jeff Victor wrote:
>>>
>>>> Zones marked "set ip-type=exclusive" automatically
get the privilege
>>>> sys_ip_config added to the default limit set.  If I have
customized
>>>> a zone''s limit set, and *then* mark it exclusive-IP,
will the
>>>> sys_ip_config priv be added to the customized list, or will the
list
>>>> be replaced with the default set plus sys_ip_config?
>>>>
>>>
>>> Setting the exclusive ip-type  just adds net_rawaccess and 
>>> sys_ip_config to the ''default'' set.
>>>
>>> If you have customized the zone''s limit set by adding
privileges to
>>> the ''default'' set, then setting
>>> ip-stack=exclusive later will just add net_rawaccess and 
>>> sys_ip_config to the new ''L'' set.
>>>
>>> If you have reduced the ''default'', then set
ip-stack=exclusive, the
>>> zone fails to verify and boot:
>>>
>>> # zoneadm -z z-b2 boot
>>> required privilege "sys_ip_config" is missing from the
zone''s
>>> privilege set
>>> zoneadm: zone z-b2 failed to verify
>>>
>>> Now, it you try to manually add "sys_ip_config" from
zonecfg, then
>>> you''ll see the following failure:
>>>
>>> #  zoneadm -z z-b2 boot
>>> privilege "sys_ip_config" is not permitted within the
zone''s
>>> privilege set
>>> zoneadm: zone z-b2 failed to verify
>>>
>>> Please go ahead and file bug.
>>>
>>>
>>> Thanks,
>>>
>>>     Kais.
>>> _______________________________________________
>>> crossbow-discuss mailing list
>>> crossbow-discuss at opensolaris.org
>>> http://opensolaris.org/mailman/listinfo/crossbow-discuss
>>
>>
>>
>> _______________________________________________
>> crossbow-discuss mailing list
>> crossbow-discuss at opensolaris.org
>> http://opensolaris.org/mailman/listinfo/crossbow-discuss
> 
> 
>