Interestingly this same issue came up on another alias today.
Amjad Khan responded with the following detailed and useful
suggestion. Hope this helps you as well.
When a zone is created in the kernel there is a default set of "safe"
privileges which are used as a mask for all processes that run inside
the zone. These privileges are "safe" in the sense that a privileged
process in the zone cannot affect processes in other non-global zones
on the system or in the global zone. Many of the "unsafe" privileges
are ones which affect a global resource, such as the Real Time(RT),
system clock or physical memory.
A number of customers have requested the ability to augment this
default set of privileges with the understanding that changes in the
zone's privilege set may open up a security window or allow processes
in one zone to be able to affect processes in other zones by being
able to control a global resource. The Solaris development team
decided to leave the default set of privileges for a non-global zone
unchanged. In order to specify a different privilege mask, a zonecfg
global property is introduced, "limitpriv", which is modeled after the
key of the same name in the user_attr database. The property value
should be a comma-separated privilege set as specified by
priv_str_to_set. The "dtrace_proc" privilege has been introduced to
delegate a privilege to a zone so that dtrace can be used within a non-
global zone. One should be able to modify the zone configuration for
the existing zone or set the privilege at the time of creating new zone.
% zonecfg -z zonetest1
For only dtrace privilege
% zonecfg:zonetest1> set
% zonecfg:zonetest1> info => listing, not the newly added
privilege is listed
NOTE: The zone would need to be restarted for this to take effect if
the existing running zone is modified. Privileges are added to non-
global zones by the global zone administrator only.
Once the dtrace privilege is delegated to a zone then you should be
able to use it in that particular non-global zone.
Hope this helps
Post by Diego Lima
I have solaris 10 machine and I was trying out dtrace. I downloaded
dtrace: invalid probe specifier
probe description dtrace:::BEGIN does not match any probes (iotop)
probe description syscall:::return does not match any probes
I'm running dtrace from inside a zone and SUNWdtrc is properly
installed. Any ideas as to what is going on?
dtrace-discuss mailing list