Controlling Access to Devices
Peripheral devices that are attached to a computer system pose a security risk.
Microphones can pick up conversations and transmit them to remote systems. CD-ROMs can
leave their information behind for reading by the next user of the CD-ROM
device. Printers can be accessed remotely. Devices that are integral to the system
can also present security issues. For example, network interfaces such as hme0 are
considered integral devices.
Solaris software provides two methods of controlling access to devices. Device policy restricts
or prevents access to devices that are integral to the system. Device policy
is enforced in the kernel. Device allocation restricts or prevents access to peripheral
devices. Device allocation is enforced at user allocation time.
Device policy uses privileges to protect selected devices in the kernel. For example,
the device policy on network interfaces such as hme requires all privileges for reading
Device allocation uses authorizations to protect peripheral devices, such as printers or microphones.
By default, device allocation is not enabled. Once enabled, device allocation can be
configured to prevent the use of a device or to require authorization for
access to the device. When a device is allocated for use, no other
user can access the device until the current user deallocates it.
A Solaris system can be configured in several areas to control access to
Set device policy – In the Solaris 10 release, you can require that the process that is accessing a particular device be running with a set of privileges. Processes without those privileges cannot use the device. At boot time, Solaris software configures device policy. Third-party drivers can be configured with device policy during installation. After installation, you, as the system administrator can add device policy to a device.
Make devices allocatable – When you enable device allocation, you can restrict the use of a device to one user at a time. You can further require that the user fulfill some security requirements. For example, you can require that the user be authorized to use the device.
Prevent devices from being used – You can prevent the use of a device, such as a microphone, by any user on a computer system. A computer kiosk might be a good candidate for making certain devices unavailable for use.
Confine a device to a particular zone – You can assign the use of a device to a non-global zone. For more information, see Device Use in Non-Global Zones in System Administration Guide: Virtualization Using the Solaris Operating System. For a more general discussion of devices and zones, see Configured Devices in Zones in System Administration Guide: Virtualization Using the Solaris Operating System.
Device Policy (Overview)
The device policy mechanism enables you to specify that processes that open a
device require certain privileges. Devices that are protected by device policy can only
be accessed by processes that are running with the privileges that the device
policy specifies. The Solaris OS provides default device policy. For example, network interfaces
such as hme0 require that the processes that access the interface be running
with the net_rawaccess privilege. The requirement is enforced in the kernel. For
more information about privileges, see Privileges (Overview).
In earlier Solaris OS releases, device nodes were protected by file permissions alone.
For example, devices owned by group sys could be opened only by members
of group sys. In the Solaris 10 release, file permissions do not predict
who can open a device. Instead, devices are protected with file permissions and
with device policy. For example, the /dev/ip file has 666 permissions. However, the device
can only be opened by a process with the appropriate privileges.
The configuration of device policy can be audited. The AUE_MODDEVPLCY audit event
records changes in device policy.
For more information about device policy, see the following:
Device Allocation (Overview)
The device allocation mechanism enables you to restrict access to a peripheral device,
such as a CD-ROM. You manage the mechanism locally. If device allocation is
not enabled, peripheral devices are protected only by file permissions. For example, by
default, peripheral devices are available for the following uses:
Any user can read and write to a diskette or CD-ROM.
Any user can attach a microphone.
Any user can access an attached printer.
Device allocation can restrict a device to authorized users. Device allocation can also
prevent a device from being accessed at all. A user who allocates a
device has exclusive use of that device until the user deallocates the device.
When a device is deallocated, device-clean scripts erase any leftover data. You can
write a device-clean script to purge information from devices that do not have
a script. For an example, see Writing New Device-Clean Scripts.
Attempts to allocate a device, deallocate a device, and list allocatable devices can
be audited. The audit events are part of the ot audit class.
For more information on device allocation, see the following: