Friday, January 20, 2012

MWAC in Global Zone

Solaris 11 has a new cool feature called Immutable Zones. Darren Moffat presented new features in Solaris 11 Zones at the last LOSUG meeting in London. Immutable Zones basically allow for read-only or partially read-only Zones to be deployed. You can even combine it with ZFS encryption - see Darren's blog entry for more details. The underlying technology to immutable zones  is called Mandatory Write Access Control (MWAC) and is implemented in kernel. So for each open, unlink, etc. syscall a VFS layer checks if MWAC is enabled for a given filesystem and a zone and if it is it will check white and black lists associated with a zone and potentially deny write access to a file (generating EROFS). The actual definitions for different default profiles are located in /usr/lib/brand/solaris/config.xml file. It is *very* simple to use the pre-defined profiles when creating a zone and it just works. Really cool. Thanks Darren for the great demo.

Now MWAC only works with non-global zones... at least by default. There is no public interface exposed to manipulate MWAC rules directly or to enable it for a global zone but it doesn't mean one can't try to do it anyway. DTrace, objdump, mdb, etc. were very helpful here to see what's going on. The result of having couple of hours of fun is below.

root@global # touch /test/file1
root@global # rm -f /test/file1
root@global # ./mwac -b "/test/file1"
MWAC black list for the global zone installed.

root@global # touch /test/file1
touch: cannot create /test/file1: Read-only file system
root@global # touch /test/file2 ; rm /test/file2
root@global # 
Now lets disable MWAC again:
root@global # mwac -u
MWAC unlock succeeded.

root@global # touch /test/file1 ; rm /test/file1
root@global # 
You can even use patterns:
root@global # mwac -b "/test/*"
MWAC black list for the global zone installed.

root@global # touch /test/a ; mkdir /test/b
touch: cannot create /test/a: Read-only file system
mkdir: Failed to make directory "/test/b"; Read-only file system
root@global # 

2 comments:

Anonymous said...

nice, I'll use it to trick our SA's :)

Antony Pavlenko said...

And what about "./mwac" util?
Is it available?