Unix Domain Sockets for X11 clients in Trusted Extensions [LSARC/2008/506 FastTrack timeout 08/14/2008]
Ric Aleshire
ric.aleshire at sun.com
Wed Aug 13 11:23:08 PDT 2008
Gary Winiger wrote:
>> Edward Pilatowicz wrote:
>>
>>> i'm not asking about the X11 behavior wrt zones, i'm asking about the
>>> cross-zone domain sockets behavior.
>>>
>>> has cross-zone UNIX domain traffic always been disallowed since zones
>>> were introduced? if not, when was that restriction added?
>>>
>>>
>> The restriction was part of the initial zones project integration.
>>
>
> Since other forms of IPC export from the global zone exists
> (viz. doors), what's the compelling reason to not allow
> IPC of Unix domain? That is why should this only be
> allowed for labeled systems?
> It seems to me there is little policy difference between
> a door rendezvous and a Unix domain socket rendezvous
> being exported from the GZ to another zone.
> Has anyone checked with the Zones and networking project
> teams?
> IMO, the restriction should just be removed (the less TX specific
> code the better ;-).
>
> Gary..
>
I'm checking with the Zones group, but from my perspective I have no
problem with making just
the kernel socket change "global" and not dependent on TX. So the "a)"
part would just read:
The kernel will permit labeled zones to connect to global zone
clients if the global zone UNIX domain
rendezvous file is made available to the zone via a loopback mount.
If anyone has any issue with this plan or believes more time is needed
to run the case due to this
modification, please reply. As mentioned, I'll check explicitly with
zones-core.
-Ric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080813/3070b75a/attachment.html>
More information about the opensolaris-arc
mailing list