Unix Domain Sockets for X11 clients in Trusted Extensions [LSARC/2008/506 FastTrack timeout 08/14/2008]
Kais Belgaied
Kais.Belgaied at Sun.COM
Wed Aug 6 20:11:37 PDT 2008
> Solution
>
> a) Allow labeled zones to access global zone X11 server via UNIX domain sockets
>
> If Trusted Extensions is enabled, the kernel will permit labeled zones
> to connect to global zone clients if the global zone UNIX domain
> rendezvous file is made available to the zone via a loopback mount.
>
When you do (b), (a) follows naturally without any extra change.
connect(3SOCKET)'ing to the AF_UNIX
socket named /var/tsol/door/.X11-unix will succeed the moment that node
is visible to the zone.
Am I missing a change proposed in sockfs or other part of the Solaris
kernel as part of this case?
Kais.
>
> b) The X11 server will use a new rendezvous directory when TX is enabled.
>
> Normally, the UNIX domain rendezvous files are in the directory /tmp/.X11-unix.
> To allow the rendezvous files to be exported to labeled zones, the directory
> pathname will be changed to:
>
> /var/tsol/door/.X11-unix.
>
> This directory pathname is chosen because /var/tsol/doors is already
> loopback mounted into every labeled zone, to export the door rendezvous
> files for nscd and the label daemon. To make this change transparent to
> clients, a symbolic link to /tmp/.X11-unix will be created in each zone,
> including the global zone.
>
> This solution will permit labeled zone X11 clients to use any of the
> various DISPLAY environment variables they have been using previously,
> and not require the use of TCP.
>
>
More information about the opensolaris-arc
mailing list