Quite for a while now the ability to access the network is a privilege in Solaris and nothing that you have always the right to do so, like the privilege to export things in the United States. In Oracle Solaris 11.4 it got real easy to run applications in such a environment when you know your application should never ever use networking, you can jail it in a sanbox. Without further options you have the privilege to use the network.

root@batou:~# sandbox "ssh jmoekamp@192.168.31.225"
Password: 

However if you start the sandbox with the -n option, a command run inside the sandbox don't have the permission to do so:

root@batou:~# sandbox -n "ssh jmoekamp@192.168.31.225"
socket: Permission denied
ssh: connect to host 192.168.31.225 port 22: failure
root@batou:~#

The difference between both command is the set of privileges that is given to the processes inside the sandboxes.

root@batou:~# sandbox -n "bash"
root@batou:~# ppriv $$
1335:   bash
flags = PRIV_AWARE|PRIV_XPOLICY
        Extended policies:
                {proc_exec}:/root/
                {proc_exec}:/usr/
        E: basic,!net_access,!proc_exec,!proc_info,!proc_session
        I: basic,!net_access,!proc_exec,!proc_info,!proc_session
        P: basic,!net_access,!proc_exec,!proc_info,!proc_session
        L: basic

The privilege to access the network has been explicitly removed by the !net_access. A sandbox without the -n doesn't have this limitation, thus you can use the network.

root@batou:~# sandbox "bash"
root@batou:~# ppriv $$
1337:   bash
flags = PRIV_AWARE|PRIV_XPOLICY
        Extended policies:
                {proc_exec}:/root/
                {proc_exec}:/usr/
        E: basic,!proc_exec,!proc_info,!proc_session
        I: basic,!proc_exec,!proc_info,!proc_session
        P: basic,!proc_exec,!proc_info,!proc_session
        L: basic

By the way: I used the root user to show that this limitation is even in place for processes running with root or root-eqivalent privileges.

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA