labeled/zone/config.xml

<?xml version="1.0"?>

<!--
 CDDL HEADER START

 The contents of this file are subject to the terms of the
 Common Development and Distribution License (the "License").
 You may not use this file except in compliance with the License.

 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 or http://www.opensolaris.org/os/licensing.
 See the License for the specific language governing permissions
 and limitations under the License.

 When distributing Covered Code, include this CDDL HEADER in each
 file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 If applicable, add the following below this CDDL HEADER, with the
 fields enclosed by brackets "[]" replaced with your own identifying
 information: Portions Copyright [yyyy] [name of copyright owner]

 CDDL HEADER END

 Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.

 DO NOT EDIT THIS FILE.
-->

<!DOCTYPE brand PUBLIC "-//Sun Microsystems Inc//DTD Brands//EN"
    "file:///usr/share/lib/xml/dtd/brand.dtd.1">

<brand name="labeled">
	<modname></modname>

	<initname>/usr/sbin/init</initname>
	<login_cmd>/usr/bin/login -z %Z %u</login_cmd>
	<forcedlogin_cmd>/usr/bin/login -z %Z -f %u</forcedlogin_cmd>
	<user_cmd>/usr/bin/getent passwd %u</user_cmd>

	<!-- We may not be able to do the create in pkg(1) proper. -->
	<install>/usr/lib/brand/solaris/pkgcreatezone -z %z -R %R</install>
	<installopts>Ua:c:d:hm:psuv</installopts>
	<boot>/usr/lib/brand/solaris/boot.wrapper %z %R</boot>
	<sysboot>/usr/lib/brand/solaris/sysboot %z %R</sysboot>
	<halt>/usr/lib/brand/solaris/halt.wrapper %z %R</halt>
	<verify_cfg>/usr/lib/brand/solaris/verify_cfg</verify_cfg>
	<verify_adm>/usr/lib/brand/solaris/verify_adm %z</verify_adm>
	<postattach></postattach>
	<postclone></postclone>
	<postinstall></postinstall>
	<postmove>/usr/lib/brand/solaris/sysboot %z</postmove>
	<attach>/usr/lib/brand/solaris/attach %z %R</attach>
	<detach>/usr/lib/brand/solaris/detach -z %z -R %R</detach>
	<clone>/usr/lib/brand/solaris/clone -z %z -R %R</clone>
	<uninstall>/usr/lib/brand/solaris/uninstall %z %R</uninstall>
	<prestatechange>/usr/lib/brand/solaris/prestate %z %R</prestatechange>
	<poststatechange>/usr/lib/brand/solaris/poststate %z %R</poststatechange>

	<privilege set="default" name="contract_event" />
	<privilege set="default" name="contract_identity" />
	<privilege set="default" name="contract_observer" />
	<privilege set="default" name="file_chown" />
	<privilege set="default" name="file_chown_self" />
	<privilege set="default" name="file_dac_execute" />
	<privilege set="default" name="file_dac_read" />
	<privilege set="default" name="file_dac_search" />
	<privilege set="default" name="file_dac_write" />
	<privilege set="default" name="file_owner" />
	<privilege set="default" name="file_setid" />
	<privilege set="default" name="ipc_dac_read" />
	<privilege set="default" name="ipc_dac_write" />
	<privilege set="default" name="ipc_owner" />
	<privilege set="default" name="net_bindmlp" />
	<privilege set="default" name="net_icmpaccess" />
	<privilege set="default" name="net_mac_aware" />
	<privilege set="default" name="net_observability" />
	<privilege set="default" name="net_privaddr" />
	<privilege set="default" name="net_rawaccess" ip-type="exclusive" />
	<privilege set="default" name="proc_chroot" />
	<privilege set="default" name="sys_audit" />
	<privilege set="default" name="proc_audit" />
	<privilege set="default" name="proc_lock_memory" />
	<privilege set="default" name="proc_owner" />
	<privilege set="default" name="proc_setid" />
	<privilege set="default" name="proc_taskid" />
	<privilege set="default" name="sys_acct" />
	<privilege set="default" name="sys_admin" />
	<privilege set="default" name="sys_ip_config" ip-type="exclusive" />
	<privilege set="default" name="sys_iptun_config" ip-type="exclusive" />
	<privilege set="default" name="sys_flow_config" ip-type="exclusive" />
	<privilege set="default" name="sys_mount" />
	<privilege set="default" name="sys_nfs" />
	<privilege set="default" name="sys_resource" />
	<privilege set="default" name="sys_ppp_config" ip-type="exclusive" />
	<privilege set="default" name="sys_share" />

	<privilege set="prohibited" name="dtrace_kernel" />
	<privilege set="prohibited" name="proc_zone" />
	<privilege set="prohibited" name="sys_config" />
	<privilege set="prohibited" name="sys_devices" />
	<privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
	<privilege set="prohibited" name="sys_linkdir" />
	<privilege set="prohibited" name="sys_net_config" />
	<privilege set="prohibited" name="sys_res_config" />
	<privilege set="prohibited" name="sys_suser_compat" />
	<privilege set="prohibited" name="sys_ppp_config" ip-type="shared" />

	<privilege set="required" name="proc_exec" />
	<privilege set="required" name="proc_fork" />
	<privilege set="required" name="sys_ip_config" ip-type="exclusive" />
	<privilege set="required" name="sys_mount" />

	<!--
		The file-mac-profile definitions

	    For all profiles:
		- packages can't be installed.

	    strict
		No modification of stable storage.  Reboot and it comes
		back as it was when it was first installed.  This profile
		comes with the best security guarantee.

		- SMF services persistently enabled are fixed
		- SMF manifests can't be added from the default locations
		- Logging/auditing configuration is fixed and data can
		only be logged remotely.

	    fixed-configuration
		Attempt to prevent privilege escalation via
		introduction of new binaries and changes to core OS
		configuration but allowing local logging/auditing with
		a fixed configuration.

		- SMF manifests can't be added from the default locations
		- SMF services persistently enabled are fixed
		- Logging/auditing files can be local syslog & audit
		configuration are fixed

	    flexible-configuration

		Attempt to prevent privilege escalation via
		introduction of new binaries, while allowing
		configuration to be changed and local
		logging/auditing.  No security guarantee is made other
		than binaries and libraries cannot be modified.

		- S11 closest equivalent to S10 sparse root zones
		- SMF policy can be changed boot to boot the as repository
		is writable
		- Logging/auditing configuration & files can be local


	    NOTE: These profiles are currently exactly the same in
	    the solaris brand; make sure that if you change these that
	    you also update the solaris brand.
	-->

	<file-mac-profile name="strict"/>

	<file-mac-profile name="fixed-configuration">
	    <readonly-path path="/var/ld/*"/>
	    <readonly-path path="/var/lib/postrun/*"/>
	    <readonly-path path="/var/pkg/*"/>
	    <readonly-path path="/var/sadm/*"/>
	    <readonly-path path="/var/spool/cron/*"/>
	    <readonly-path path="/var/spool/postrun/*"/>
	    <readonly-path path="/var/svc/manifest/*"/>
	    <readonly-path path="/var/svc/profile/*"/>

	    <writable-path path="/var/*"/>
	</file-mac-profile>

	<file-mac-profile name="flexible-configuration">
	    <readonly-path path="/var/ld/*"/>
	    <readonly-path path="/var/lib/postrun/*"/>
	    <readonly-path path="/var/pkg/*"/>
	    <readonly-path path="/var/sadm/*"/>
	    <readonly-path path="/var/spool/postrun/*"/>
	    <readonly-path path="/var/svc/manifest/*"/>
	    <readonly-path path="/var/svc/profile/*"/>

	    <writable-path path="/etc/*"/>
	    <writable-path path="/var/*"/>
	    <writable-path path="/root/*"/>
	</file-mac-profile>
</brand>