Now MWAC only works with non-global zones... at least by default. There is no public interface exposed to manipulate MWAC rules directly or to enable it for a global zone but it doesn't mean one can't try to do it anyway. DTrace, objdump, mdb, etc. were very helpful here to see what's going on. The result of having couple of hours of fun is below.
root@global # touch /test/file1 root@global # rm -f /test/file1 root@global # ./mwac -b "/test/file1" MWAC black list for the global zone installed. root@global # touch /test/file1 touch: cannot create /test/file1: Read-only file system root@global # touch /test/file2 ; rm /test/file2 root@global #Now lets disable MWAC again:
root@global # mwac -u MWAC unlock succeeded. root@global # touch /test/file1 ; rm /test/file1 root@global #You can even use patterns:
root@global # mwac -b "/test/*" MWAC black list for the global zone installed. root@global # touch /test/a ; mkdir /test/b touch: cannot create /test/a: Read-only file system mkdir: Failed to make directory "/test/b"; Read-only file system root@global #
nice, I'll use it to trick our SA's :)
ReplyDeleteAnd what about "./mwac" util?
ReplyDeleteIs it available?
I finally finished this for Solaris 11.2
ReplyDeletehttps://blogs.oracle.com/casper/entry/solaris_11_2_immutable_global