[crossbow-discuss] IP Instances, default privileges

Thu Jun 28 19:44:19 PDT 2007

Hello, Kais,

Thanks for the info, the output of zonecfg shows that it's ip-type is
shared, that's why it cannot have sys_ip_config, it's by design. Looks
like you changed ip-type in-between your tests.

Best,

Donghai.

Kais Belgaied Wrote:
> the steps are what Jeff described:
> . create a zone with a shared stack
> . set the limitpriv to 
> "basic,contract_event,contract_observer,file_chown,file_chown_self,fil
> e_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid 
> 
> ,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_l 
> 
> ock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mo 
> 
> unt,sys_nfs,sys_resource"
> 
> (the default minus some privs)
> 
> . set the ip-type to exclusive
> 
> . attempt a boot
> 
> zone z-b2 on data1.sfbay is sitting in that state if you wanna take a look.
> 
> bash-3.00# zonecfg -z z-b2 info
> zonename: z-b2
> zonepath: /opt/z-b2
> brand: native
> autoboot: false
> bootargs:
> pool:
> limitpriv: 
> basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_privaddr,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mount,sys_nfs,sys_resource,sys_ip_config 
> 
> scheduling-class:
> ip-type: shared
> inherit-pkg-dir:
>         dir: /usr
> inherit-pkg-dir:
>         dir: /lib
> inherit-pkg-dir:
>         dir: /opt
> 
>     Kais.
> 
> Dong-Hai Han wrote:
> 
>> Could you please give more information, like the output of zonecfg info
>> and the steps you used?
>>
>> Best,
>>
>> Donghai.
>>
>> Kais Belgaied Wrote:
>>
>>> Jeff Victor wrote:
>>>
>>>> Zones marked "set ip-type=exclusive" automatically get the privilege 
>>>> sys_ip_config added to the default limit set.  If I have customized 
>>>> a zone's limit set, and *then* mark it exclusive-IP, will the 
>>>> sys_ip_config priv be added to the customized list, or will the list 
>>>> be replaced with the default set plus sys_ip_config?
>>>>
>>>
>>> Setting the exclusive ip-type  just adds net_rawaccess and 
>>> sys_ip_config to the 'default' set.
>>>
>>> If you have customized the zone's limit set by adding privileges to 
>>> the 'default' set, then setting
>>> ip-stack=exclusive later will just add net_rawaccess and 
>>> sys_ip_config to the new 'L' set.
>>>
>>> If you have reduced the 'default', then set ip-stack=exclusive, the 
>>> zone fails to verify and boot:
>>>
>>> # zoneadm -z z-b2 boot
>>> required privilege "sys_ip_config" is missing from the zone's 
>>> privilege set
>>> zoneadm: zone z-b2 failed to verify
>>>
>>> Now, it you try to manually add "sys_ip_config" from zonecfg, then 
>>> you'll see the following failure:
>>>
>>> #  zoneadm -z z-b2 boot
>>> privilege "sys_ip_config" is not permitted within the zone's 
>>> privilege set
>>> zoneadm: zone z-b2 failed to verify
>>>
>>> Please go ahead and file bug.
>>>
>>>
>>> Thanks,
>>>
>>>     Kais.
>>> _______________________________________________
>>> crossbow-discuss mailing list
>>> crossbow-discuss at opensolaris.org
>>> http://opensolaris.org/mailman/listinfo/crossbow-discuss
>>
>>
>>
>> _______________________________________________
>> crossbow-discuss mailing list
>> crossbow-discuss at opensolaris.org
>> http://opensolaris.org/mailman/listinfo/crossbow-discuss
> 
> 
> 