On 5/14/15 6:18 , Joe Malcolm wrote: > Yes, I figured this was the case - thanks for confirming. I knew it > was containerized, but not that it couldn't fork. > > Out of curiousity, do the SmartOS orchestration tools (vmadm, etc.) > expose these additional limitations, such as disabling forking, in > some generic way, so they could be applied to non-kvm zones? Well, not > being able to fork may not be the most sensible example in general, > since that would make most zone applications impossible, but > presumably there's a general mechanism down there somewhere.
Yes, this is a part of the general privileges mechanism. If you want to deny the entire zone a set of privileges (I wouldn't do this for fork), then you can use the vmadm 'limit_priv' property. However, what you'll find more useful is probably the libc interfaces for dropping privileges and the ppriv (http://illumos.org/man/1/ppriv) command which will let you make the change for an individual process and its children that you launch. You may also want to look at RBAC and profiles as another way to restrict what a process in a zone can do. For example, you can use a profile shell and restrict the set of commands that may be executed down to a small set. Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
