Sandbox without networking
Quite for a while now the ability to access the network is a privilege in Solaris and nothing that you have always the right to do so, like the privilege to export things in the United States. In Oracle Solaris 11.4 it got real easy to run applications in such a environment when you know your application should never ever use networking, you can jail it in a sanbox. Without further options you have the privilege to use the network.
However if you start the sandbox with the
-n option, a command run inside the sandbox don’t have the permission to do so:
The difference between both command is the set of privileges that is given to the processes inside the sandboxes.
The privilege to access the network has been explicitly removed by the
!net_access. A sandbox without the
-n doesn’t have this limitation, thus you can use the network.
By the way: I used the
root user to show that this limitation is even in place for processes running with root or root-eqivalent privileges.